Skip to content

dhcpcd: enable sandboxing options#208780

Merged
flokli merged 1 commit intoNixOS:masterfrom
Izorkin:update-dhcpcd-hardening
Oct 8, 2024
Merged

dhcpcd: enable sandboxing options#208780
flokli merged 1 commit intoNixOS:masterfrom
Izorkin:update-dhcpcd-hardening

Conversation

@Izorkin
Copy link
Contributor

@Izorkin Izorkin commented Jan 2, 2023
edited
Loading

Description of changes

Enable sandboxing options.
Result:

systemd-analyze security dhcpcd
...
→ Overall exposure level for dhcpcd.service: 2.9 OK 🙂

cc @SuperSandro2000

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 23.05 Release Notes (or backporting 22.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
    • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
  • Fits CONTRIBUTING.md.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog This PR adds or changes release notes 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` labels Jan 2, 2023
@ofborg ofborg bot added 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 1 This PR causes 1 package to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Jan 2, 2023
@Izorkin Izorkin force-pushed the update-dhcpcd-hardening branch 3 times, most recently from 9bc13c3 to a594e3f Compare January 2, 2023 21:41
SuperSandro2000
SuperSandro2000 reviewed Jan 2, 2023
View reviewed changes
@Izorkin Izorkin force-pushed the update-dhcpcd-hardening branch from a594e3f to f8b7eee Compare January 3, 2023 04:36
@github-actions github-actions bot removed 8.has: changelog This PR adds or changes release notes 8.has: documentation This PR adds or changes documentation labels Jan 3, 2023
blitz
blitz reviewed Jan 3, 2023
View reviewed changes
fpletz
fpletz previously requested changes Jan 6, 2023
View reviewed changes
Copy link
Member

@fpletz fpletz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might break the setup of people using networking.dhcpcd.runHook. I don't think we should go ahead with this without at least an entry in the release notes and an option to disable hardening.

@Izorkin Izorkin force-pushed the update-dhcpcd-hardening branch from f8b7eee to 3c36fdc Compare January 6, 2023 16:58
@github-actions github-actions bot added 8.has: changelog This PR adds or changes release notes 8.has: documentation This PR adds or changes documentation labels Jan 6, 2023
@Izorkin Izorkin force-pushed the update-dhcpcd-hardening branch from 3c36fdc to 467708b Compare January 6, 2023 17:01
@Izorkin
Copy link
Contributor Author

Izorkin commented Jan 6, 2023

This might break the setup of people using networking.dhcpcd.runHook. I don't think we should go ahead with this without at least an entry in the release notes and an option to disable hardening.

Updated PR.
Now when using networking.dhcpcd.runHook these settings are not applied.
Added relese-notes.

@Izorkin Izorkin force-pushed the update-dhcpcd-hardening branch from 467708b to 1201af8 Compare January 23, 2023 23:37
@Izorkin
Copy link
Contributor Author

Izorkin commented Jan 23, 2023

Resolving conflicts.

@Izorkin Izorkin force-pushed the update-dhcpcd-hardening branch from 1201af8 to 740978b Compare February 9, 2023 11:50
@Izorkin
Copy link
Contributor Author

Izorkin commented Feb 9, 2023

Rebased PR.

@Izorkin Izorkin force-pushed the update-dhcpcd-hardening branch from 740978b to 22ab6e8 Compare February 11, 2023 16:12
@Izorkin
Copy link
Contributor Author

Izorkin commented Feb 11, 2023

Resolved conflicts.

@Izorkin Izorkin force-pushed the update-dhcpcd-hardening branch from 9e46a1b to b02af89 Compare February 16, 2024 07:19
@Izorkin Izorkin requested review from SuperSandro2000, blitz and fpletz and removed request for blitz and fpletz February 16, 2024 07:19
@SuperSandro2000
Copy link
Member

SuperSandro2000 commented Feb 18, 2024

I am no longer using dhcpcd

@Izorkin Izorkin force-pushed the update-dhcpcd-hardening branch from b02af89 to af89055 Compare February 27, 2024 22:06
@blitz blitz removed their request for review March 19, 2024 09:26
@Izorkin Izorkin force-pushed the update-dhcpcd-hardening branch from af89055 to 7c60587 Compare May 8, 2024 12:13
@wegank wegank added the 2.status: merge conflict This PR has merge conflicts with the target branch label May 22, 2024
@Izorkin Izorkin force-pushed the update-dhcpcd-hardening branch from 7c60587 to 611b1d5 Compare October 6, 2024 20:48
@Izorkin
Copy link
Contributor Author

Izorkin commented Oct 6, 2024

Rebased PR.
What is needed to get this PR merged?

@ofborg ofborg bot removed the 2.status: merge conflict This PR has merge conflicts with the target branch label Oct 6, 2024
@nixos-discourse
Copy link

nixos-discourse commented Oct 7, 2024

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-already-reviewed/2617/2020

@Izorkin Izorkin requested review from Ma27 and mweinelt October 8, 2024 05:05
@flokli
Copy link
Member

flokli commented Oct 8, 2024

From #208780 (review), slightly highlighted:

This might break the setup of people using networking.dhcpcd.runHook. I don't think we should go ahead with this without at least an entry in the release notes and an option to disable hardening.

This is still missing said option, as well as a mention of it in the release notes.

@Izorkin
Copy link
Contributor Author

Izorkin commented Oct 8, 2024

This is still missing said option, as well as a mention of it in the release notes.

Doesn't this line disable sandbox mode?

          } // lib.optionalAttrs (cfg.runHook == "") {

@flokli
Copy link
Member

flokli commented Oct 8, 2024
edited
Loading

Ah, now I understand, you don't apply sandboxing at all if there's a hook present.

@flokli
Copy link
Member

flokli commented Oct 8, 2024

I still hope we can get rid of scripted networking altogether, but today is not that day, so sure, let's add the sandboxing. Thanks for the PR!

@flokli flokli merged commit 146e83d into NixOS:master Oct 8, 2024
@Izorkin Izorkin deleted the update-dhcpcd-hardening branch October 8, 2024 10:09
@Izorkin
Copy link
Contributor Author

Izorkin commented Oct 8, 2024

Thanks!

@vcunat
Copy link
Member

vcunat commented Oct 8, 2024

FYI, this clashes with #336988
(right now in merge from master to staging-next)

@vcunat vcunat mentioned this pull request Oct 8, 2024
Merged
5 tasks
@Izorkin
Copy link
Contributor Author

Izorkin commented Oct 8, 2024

Sorry, I didn't know about the other PR :(

rnhmjoj added a commit to rnhmjoj/nixpkgs that referenced this pull request Oct 9, 2024
@rnhmjoj
nixos/release-notes: remove duplicate note
fb28bba 
Fix up the merge of the two dhcpcd hardening PRs (NixOS#336988 and NixOS#208780)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ncfavier ncfavier Awaiting requested review from ncfavier

@flokli flokli Awaiting requested review from flokli

@SuperSandro2000 SuperSandro2000 Awaiting requested review from SuperSandro2000

@fpletz fpletz Awaiting requested review from fpletz

@mweinelt mweinelt Awaiting requested review from mweinelt

@Ma27 Ma27 Awaiting requested review from Ma27

1 more reviewer

@blitz blitz blitz left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: changelog This PR adds or changes release notes 8.has: documentation This PR adds or changes documentation 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

9 participants

@Izorkin @nixos-discourse @SuperSandro2000 @flokli @vcunat @blitz @fpletz @ncfavier @wegank