dhcpcd: disable privsep by default

rnhmjoj · rnhmjoj · commit a432668acf9d · 2024-09-16T01:23:54.000+02:00
The priviledge separation mode has several downsides:

  - it's incompatible with alternative memory allocators, including
    graphene-hardened;

  - it needs an unreleased patch to fix a crash;

  - it results in none less than 6 subprocesses running at any time,
    increasing the memory usage;

  - the privileged process (albeit not doing any networking related
    tasks) is still running as root, so it has complete access to the
    system.

Let's disable this by default and instead run dhcpcd as an unpriviledge
user with only the necessary capabilities.
diff --git a/nixos/modules/services/networking/dhcpcd.nix b/nixos/modules/services/networking/dhcpcd.nix
@@ -206,22 +206,6 @@ in
 
   config = lib.mkIf enableDHCP {
 
-    assertions = [ {
-      # dhcpcd doesn't start properly with malloc ∉ [ libc scudo ]
-      # see https://github.com/NixOS/nixpkgs/issues/151696
-      assertion =
-        dhcpcd.enablePrivSep
-          -> lib.elem config.environment.memoryAllocator.provider [ "libc" "scudo" ];
-      message = ''
-        dhcpcd with privilege separation is incompatible with chosen system malloc.
-          Currently only the `libc` and `scudo` allocators are known to work.
-          To disable dhcpcd's privilege separation, overlay Nixpkgs and override dhcpcd
-          to set `enablePrivSep = false`.
-      '';
-    } ];
-
-    environment.etc."dhcpcd.conf".source = dhcpcdConf;
-
     systemd.services.dhcpcd = let
       cfgN = config.networking;
       hasDefaultGatewaySet = (cfgN.defaultGateway != null && cfgN.defaultGateway.address != "")
diff --git a/nixos/tests/chrony.nix b/nixos/tests/chrony.nix
@@ -13,8 +13,6 @@ import ./make-test-python.nix ({ lib, ... }:
       specialisation.hardened.configuration = {
         services.chrony.enableMemoryLocking = true;
         environment.memoryAllocator.provider = "graphene-hardened";
-        # dhcpcd privsep is incompatible with graphene-hardened
-        networking.useNetworkd = true;
       };
     };
   };
diff --git a/nixos/tests/hardened.nix b/nixos/tests/hardened.nix
@@ -11,11 +11,6 @@ import ./make-test-python.nix ({ pkgs, ... } : {
       imports = [ ../modules/profiles/hardened.nix ];
       environment.memoryAllocator.provider = "graphene-hardened";
       nix.settings.sandbox = false;
-      nixpkgs.overlays = [
-        (final: super: {
-          dhcpcd = super.dhcpcd.override { enablePrivSep = false; };
-        })
-      ];
       virtualisation.emptyDiskImages = [ 4096 ];
       boot.initrd.postDeviceCommands = ''
         ${pkgs.dosfstools}/bin/mkfs.vfat -n EFISYS /dev/vdb
diff --git a/pkgs/tools/networking/dhcpcd/default.nix b/pkgs/tools/networking/dhcpcd/default.nix
@@ -7,7 +7,6 @@
 , runtimeShellPackage
 , runtimeShell
 , nixosTests
-, enablePrivSep ? true
 }:
 
 stdenv.mkDerivation rec {
@@ -38,17 +37,8 @@ stdenv.mkDerivation rec {
   configureFlags = [
     "--sysconfdir=/etc"
     "--localstatedir=/var"
-  ]
-  ++ (
-    if ! enablePrivSep
-    then [ "--disable-privsep" ]
-    else [
-      "--enable-privsep"
-      # dhcpcd disables privsep if it can't find the default user,
-      # so we explicitly specify a user.
-      "--privsepuser=dhcpcd"
-    ]
-  );
+    "--disable-privsep"
+  ];
 
   makeFlags = [ "PREFIX=${placeholder "out"}" ];
 
@@ -59,9 +49,8 @@ stdenv.mkDerivation rec {
   # Check that the udev plugin got built.
   postInstall = lib.optionalString (udev != null && stdenv.isLinux) "[ -e ${placeholder "out"}/lib/dhcpcd/dev/udev.so ]";
 
-  passthru = {
-    inherit enablePrivSep;
-    tests = { inherit (nixosTests.networking.scripted) macvlan dhcpSimple dhcpOneIf; };
+  passthru.tests = {
+    inherit (nixosTests.networking.scripted) macvlan dhcpSimple dhcpOneIf;
   };
 
   meta = with lib; {
