Unverified Commit 611b1d53 authored by Izorkin's avatar Izorkin
Browse files

dhcpcd: enable sandboxing options

parent fe3c6fe9

nixos/doc/manual/release-notes/rl-2411.section.md

+2 −0
Original line number Diff line number Diff line
@@ -565,6 +565,8 @@ 


- `nixosTests` now provide a working IPv6 setup for VLAN 1 by default.



- `services.dhcpcd` is now started with additional systemd sandbox/hardening options for better security. When using `networking.dhcpcd.runHook` these settings are not applied.



- Kanidm can now be provisioned using the new [`services.kanidm.provision`] option, but requires using a patched version available via `pkgs.kanidm.withSecretProvisioning`.



- Kanidm previously had an incorrect systemd service type, causing dependent units with an `after` and `requires` directive to start before `kanidm*` finished startup. The module has now been updated in line with upstream recommendations.

nixos/modules/services/networking/dhcpcd.nix

+33 −0
Original line number Diff line number Diff line
@@ -251,6 +251,39 @@ in 
            ExecStart = "@${dhcpcd}/sbin/dhcpcd dhcpcd --quiet ${lib.optionalString cfg.persistent "--persistent"} --config ${dhcpcdConf}";

            ExecReload = "${dhcpcd}/sbin/dhcpcd --rebind";

            Restart = "always";

          } // lib.optionalAttrs (cfg.runHook == "") {

            # Proc filesystem

            ProcSubset = "all";

            ProtectProc = "invisible";

            # Access write directories

            UMask = "0027";

            # Capabilities

            CapabilityBoundingSet = [ "CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW" "CAP_SETGID" "CAP_SETUID" "CAP_SYS_CHROOT" ];

            # Security

            NoNewPrivileges = true;

            # Sandboxing

            ProtectSystem = true;

            ProtectHome = true;

            PrivateTmp = true;

            PrivateDevices = true;

            PrivateUsers = false;

            ProtectHostname = true;

            ProtectClock = true;

            ProtectKernelTunables = false;

            ProtectKernelModules = true;

            ProtectKernelLogs = true;

            ProtectControlGroups = true;

            RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" "AF_PACKET" ];

            RestrictNamespaces = true;

            LockPersonality = true;

            MemoryDenyWriteExecute = true;

            RestrictRealtime = true;

            RestrictSUIDSGID = true;

            RemoveIPC = true;

            PrivateMounts = true;

            # System Call Filtering

            SystemCallArchitectures = "native";

            SystemCallFilter = [ "~@cpu-emulation @debug @keyring @mount @obsolete @privileged @resources" "chroot" "gettid" "setgroups" "setuid" ];

          };

      };