pyrox.dev / nixpkgs
lol
fork atom

nixos/dhcpcd: add option to allow setuid binaries

The promise in the networking.dhcpcd.runHook description was broken by
further restrictions added in 21bb7ea9.

rnhmjoj 66db09eb 54a69497

options
unified split
Changed files
+24 -12
nixos
modules
services
networking
dhcpcd.nix
+24 -12
nixos/modules/services/networking/dhcpcd.nix 
···

       
202

       
202

       
 

       
      '';


     

       
203

       
203

       
 

       
    };


     

       
204

       
204

       
 

       



     

       

       
205

       
+

       
    networking.dhcpcd.allowSetuid = lib.mkOption {


     

       

       
206

       
+

       
      type = lib.types.bool;


     

       

       
207

       
+

       
      default = false;


     

       

       
208

       
+

       
      description = ''


     

       

       
209

       
+

       
        Whether to relax the security sandbox to allow running setuid


     

       

       
210

       
+

       
        binaries (e.g. `sudo`) in the dhcpcd hooks.


     

       

       
211

       
+

       
      '';


     

       

       
212

       
+

       
    };


     

       

       
213

       
+

       



     

       
205

       
214

       
 

       
    networking.dhcpcd.runHook = lib.mkOption {


     

       
206

       
215

       
 

       
      type = lib.types.lines;


     

       
207

       
216

       
 

       
      default = "";


     
···

       
213

       
222

       
 

       
        ::: {.note}


     

       
214

       
223

       
 

       
        To use sudo or similar tools in your script you may have to set:


     

       
215

       
224

       
 

       



     

       
216

       

       
-

       
            systemd.services.dhcpcd.serviceConfig.NoNewPrivileges = false;


     

       

       
225

       
+

       
            networking.dhcpcd.allowSetuid = true;


     

       
217

       
226

       
 

       



     

       
218

       
227

       
 

       
        In addition, as most of the filesystem is inaccessible to dhcpcd


     

       
219

       
228

       
 

       
        by default, you may want to define some exceptions, e.g.


     
···

       
321

       
330

       
 

       
            "CAP_NET_RAW"


     

       
322

       
331

       
 

       
            "CAP_NET_BIND_SERVICE"


     

       
323

       
332

       
 

       
          ];


     

       
324

       

       
-

       
          CapabilityBoundingSet = [


     

       

       
333

       
+

       
          CapabilityBoundingSet = lib.optionals (!cfg.allowSetuid) [


     

       
325

       
334

       
 

       
            "CAP_NET_ADMIN"


     

       
326

       
335

       
 

       
            "CAP_NET_RAW"


     

       
327

       
336

       
 

       
            "CAP_NET_BIND_SERVICE"


     
···

       
335

       
344

       
 

       
          DeviceAllow = "";


     

       
336

       
345

       
 

       
          LockPersonality = true;


     

       
337

       
346

       
 

       
          MemoryDenyWriteExecute = true;


     

       
338

       

       
-

       
          NoNewPrivileges = lib.mkDefault true; # may be disabled for sudo in runHook


     

       

       
347

       
+

       
          NoNewPrivileges = lib.mkDefault (!cfg.allowSetuid); # may be disabled for sudo in runHook


     

       
339

       
348

       
 

       
          PrivateDevices = true;


     

       
340

       
349

       
 

       
          PrivateMounts = true;


     

       
341

       
350

       
 

       
          PrivateTmp = true;


     
···

       
360

       
369

       
 

       
          RestrictNamespaces = true;


     

       
361

       
370

       
 

       
          RestrictRealtime = true;


     

       
362

       
371

       
 

       
          RestrictSUIDSGID = true;


     

       
363

       

       
-

       
          SystemCallFilter = [


     

       
364

       

       
-

       
            "@system-service"


     

       
365

       

       
-

       
            "~@aio"


     

       
366

       

       
-

       
            "~@keyring"


     

       
367

       

       
-

       
            "~@memlock"


     

       
368

       

       
-

       
            "~@mount"


     

       
369

       

       
-

       
            "~@privileged"


     

       
370

       

       
-

       
            "~@resources"


     

       
371

       

       
-

       
          ];


     

       

       
372

       
+

       
          SystemCallFilter =


     

       

       
373

       
+

       
            [


     

       

       
374

       
+

       
              "@system-service"


     

       

       
375

       
+

       
              "~@aio"


     

       

       
376

       
+

       
              "~@keyring"


     

       

       
377

       
+

       
              "~@memlock"


     

       

       
378

       
+

       
              "~@mount"


     

       

       
379

       
+

       
            ]


     

       

       
380

       
+

       
            ++ lib.optionals (!cfg.allowSetuid) [


     

       

       
381

       
+

       
              "~@privileged"


     

       

       
382

       
+

       
              "~@resources"


     

       

       
383

       
+

       
            ];


     

       
372

       
384

       
 

       
          SystemCallArchitectures = "native";


     

       
373

       
385

       
 

       
          UMask = "0027";


     

       
374

       
386

       
 

       
        };