dhcpcd: disable privsep by default

The priviledge separation mode has several downsides: - it's incompatible with alternative memory allocators, including graphene-hardened; - it needs an unreleased patch to fix a crash; - it results in none less than 6 subprocesses running at any time, increasing the memory usage; - the privileged process (albeit not doing any networking related tasks) is still running as root, so it has complete access to the system. Let's disable this by default and instead run dhcpcd as an unpriviledge user with only the necessary capabilities.
2023-12-24 23:58:43 +01:00 · 2023-12-24 23:58:43 +01:00 · a432668acf
commit a432668acf
parent 19a494135a
4 changed files with 4 additions and 38 deletions
--- a/nixos/modules/services/networking/dhcpcd.nix
+++ b/nixos/modules/services/networking/dhcpcd.nix
@ -206,22 +206,6 @@ in

  config = lib.mkIf enableDHCP {

-    assertions = [ {
-      # dhcpcd doesn't start properly with malloc ∉ [ libc scudo ]
-      # see https://github.com/NixOS/nixpkgs/issues/151696
-      assertion =
-        dhcpcd.enablePrivSep
-          -> lib.elem config.environment.memoryAllocator.provider [ "libc" "scudo" ];
-      message = ''
-        dhcpcd with privilege separation is incompatible with chosen system malloc.
-          Currently only the `libc` and `scudo` allocators are known to work.
-          To disable dhcpcd's privilege separation, overlay Nixpkgs and override dhcpcd
-          to set `enablePrivSep = false`.
-      '';
-    } ];
-
-    environment.etc."dhcpcd.conf".source = dhcpcdConf;
-
    systemd.services.dhcpcd = let
      cfgN = config.networking;
      hasDefaultGatewaySet = (cfgN.defaultGateway != null && cfgN.defaultGateway.address != "")
--- a/nixos/tests/chrony.nix
+++ b/nixos/tests/chrony.nix
@ -13,8 +13,6 @@ import ./make-test-python.nix ({ lib, ... }:
      specialisation.hardened.configuration = {
        services.chrony.enableMemoryLocking = true;
        environment.memoryAllocator.provider = "graphene-hardened";
-        # dhcpcd privsep is incompatible with graphene-hardened
-        networking.useNetworkd = true;
      };
    };
  };
--- a/nixos/tests/hardened.nix
+++ b/nixos/tests/hardened.nix
@ -11,11 +11,6 @@ import ./make-test-python.nix ({ pkgs, ... } : {
      imports = [ ../modules/profiles/hardened.nix ];
      environment.memoryAllocator.provider = "graphene-hardened";
      nix.settings.sandbox = false;
-      nixpkgs.overlays = [
-        (final: super: {
-          dhcpcd = super.dhcpcd.override { enablePrivSep = false; };
-        })
-      ];
      virtualisation.emptyDiskImages = [ 4096 ];
      boot.initrd.postDeviceCommands = ''
        ${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb
--- a/pkgs/tools/networking/dhcpcd/default.nix
+++ b/pkgs/tools/networking/dhcpcd/default.nix
@ -7,7 +7,6 @@
 , runtimeShellPackage
 , runtimeShell
 , nixosTests
-, enablePrivSep ? true
 }:

 stdenv.mkDerivation rec {
@ -38,17 +37,8 @@ stdenv.mkDerivation rec {
  configureFlags = [
    "--sysconfdir=/etc"
    "--localstatedir=/var"
-  ]
-  ++ (
-    if ! enablePrivSep
-    then [ "--disable-privsep" ]
-    else [
-      "--enable-privsep"
-      # dhcpcd disables privsep if it can't find the default user,
-      # so we explicitly specify a user.
-      "--privsepuser=dhcpcd"
-    ]
-  );
+    "--disable-privsep"
+  ];

  makeFlags = [ "PREFIX=${placeholder "out"}" ];

@ -59,9 +49,8 @@ stdenv.mkDerivation rec {
  # Check that the udev plugin got built.
  postInstall = lib.optionalString (udev != null && stdenv.isLinux) "[ -e ${placeholder "out"}/lib/dhcpcd/dev/udev.so ]";

-  passthru = {
-    inherit enablePrivSep;
-    tests = { inherit (nixosTests.networking.scripted) macvlan dhcpSimple dhcpOneIf; };
+  passthru.tests = {
+    inherit (nixosTests.networking.scripted) macvlan dhcpSimple dhcpOneIf;
  };

  meta = with lib; {