Unverified Commit a432668a authored by rnhmjoj's avatar rnhmjoj
Browse files

dhcpcd: disable privsep by default 

The priviledge separation mode has several downsides:

  - it's incompatible with alternative memory allocators, including
    graphene-hardened;

  - it needs an unreleased patch to fix a crash;

  - it results in none less than 6 subprocesses running at any time,
    increasing the memory usage;

  - the privileged process (albeit not doing any networking related
    tasks) is still running as root, so it has complete access to the
    system.

Let's disable this by default and instead run dhcpcd as an unpriviledge
user with only the necessary capabilities.
parent 19a49413

nixos/modules/services/networking/dhcpcd.nix

+0 −16
Original line number Diff line number Diff line
@@ -206,22 +206,6 @@ in 


  config = lib.mkIf enableDHCP {



    assertions = [ {

      # dhcpcd doesn't start properly with malloc ∉ [ libc scudo ]

      # see https://github.com/NixOS/nixpkgs/issues/151696

      assertion =

        dhcpcd.enablePrivSep

          -> lib.elem config.environment.memoryAllocator.provider [ "libc" "scudo" ];

      message = ''

        dhcpcd with privilege separation is incompatible with chosen system malloc.

          Currently only the `libc` and `scudo` allocators are known to work.

          To disable dhcpcd's privilege separation, overlay Nixpkgs and override dhcpcd

          to set `enablePrivSep = false`.

      '';

    } ];



    environment.etc."dhcpcd.conf".source = dhcpcdConf;



    systemd.services.dhcpcd = let

      cfgN = config.networking;

      hasDefaultGatewaySet = (cfgN.defaultGateway != null && cfgN.defaultGateway.address != "")

nixos/tests/chrony.nix

+0 −2
Original line number Diff line number Diff line
@@ -13,8 +13,6 @@ import ./make-test-python.nix ({ lib, ... }: 
      specialisation.hardened.configuration = {

        services.chrony.enableMemoryLocking = true;

        environment.memoryAllocator.provider = "graphene-hardened";

        # dhcpcd privsep is incompatible with graphene-hardened

        networking.useNetworkd = true;

      };

    };

  };

nixos/tests/hardened.nix

+0 −5
Original line number Diff line number Diff line
@@ -11,11 +11,6 @@ import ./make-test-python.nix ({ pkgs, ... } : { 
      imports = [ ../modules/profiles/hardened.nix ];

      environment.memoryAllocator.provider = "graphene-hardened";

      nix.settings.sandbox = false;

      nixpkgs.overlays = [

        (final: super: {

          dhcpcd = super.dhcpcd.override { enablePrivSep = false; };

        })

      ];

      virtualisation.emptyDiskImages = [ 4096 ];

      boot.initrd.postDeviceCommands = ''

        ${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb

pkgs/tools/networking/dhcpcd/default.nix

+4 −15
Original line number Diff line number Diff line
@@ -7,7 +7,6 @@ 
, runtimeShellPackage

, runtimeShell

, nixosTests

, enablePrivSep ? true

}:



stdenv.mkDerivation rec {
@@ -38,17 +37,8 @@ stdenv.mkDerivation rec { 
  configureFlags = [

    "--sysconfdir=/etc"

    "--localstatedir=/var"

  ]

  ++ (

    if ! enablePrivSep

    then [ "--disable-privsep" ]

    else [

      "--enable-privsep"

      # dhcpcd disables privsep if it can't find the default user,

      # so we explicitly specify a user.

      "--privsepuser=dhcpcd"

    ]

  );

    "--disable-privsep"

  ];



  makeFlags = [ "PREFIX=${placeholder "out"}" ];
@@ -59,9 +49,8 @@ stdenv.mkDerivation rec { 
  # Check that the udev plugin got built.

  postInstall = lib.optionalString (udev != null && stdenv.isLinux) "[ -e ${placeholder "out"}/lib/dhcpcd/dev/udev.so ]";



  passthru = {

    inherit enablePrivSep;

    tests = { inherit (nixosTests.networking.scripted) macvlan dhcpSimple dhcpOneIf; };

  passthru.tests = {

    inherit (nixosTests.networking.scripted) macvlan dhcpSimple dhcpOneIf;

  };



  meta = with lib; {