nixpkgs/pkgs/tools/networking/dhcpcd/default.nix
pennae 8072ee22f2 dhcpcd, nixos/dhcpcd: enable privsep
dhdpcd 9 support privilege separation with a dedicated user and seccomp
filtering. this has been enabled for a while in other distributions as
well.

if the dhcpcd module is not used and the _dhcpcd user/group isn't
definied otherwise dhcpcd will fall back to not using privsep.
2021-11-30 19:51:45 +01:00

63 lines
1.6 KiB
Nix

{ lib
, stdenv
, fetchurl
, pkg-config
, udev
, runtimeShellPackage
, runtimeShell
, nixosTests
, enablePrivSep ? true
}:
stdenv.mkDerivation rec {
pname = "dhcpcd";
version = "9.4.1";
src = fetchurl {
url = "mirror://roy/${pname}/${pname}-${version}.tar.xz";
sha256 = "sha256-gZNXY07+0epc9E7AGyTT0/iFL+yLQkmSXcxWZ8VON2w=";
};
nativeBuildInputs = [ pkg-config ];
buildInputs = [
udev
runtimeShellPackage # So patchShebangs finds a bash suitable for the installed scripts
];
prePatch = ''
substituteInPlace hooks/dhcpcd-run-hooks.in --replace /bin/sh ${runtimeShell}
'';
preConfigure = "patchShebangs ./configure";
configureFlags = [
"--sysconfdir=/etc"
"--localstatedir=/var"
]
++ lib.optionals enablePrivSep [
"--enable-privsep"
# dhcpcd disables privsep if it can't find the default user,
# so we explicitly specify the default.
"--privsepuser=_dhcpcd"
];
makeFlags = [ "PREFIX=${placeholder "out"}" ];
# Hack to make installation succeed. dhcpcd will still use /var/db
# at runtime.
installFlags = [ "DBDIR=$(TMPDIR)/db" "SYSCONFDIR=${placeholder "out"}/etc" ];
# Check that the udev plugin got built.
postInstall = lib.optionalString (udev != null) "[ -e ${placeholder "out"}/lib/dhcpcd/dev/udev.so ]";
passthru.tests = { inherit (nixosTests.networking.scripted) macvlan dhcpSimple dhcpOneIf; };
meta = with lib; {
description = "A client for the Dynamic Host Configuration Protocol (DHCP)";
homepage = "https://roy.marples.name/projects/dhcpcd";
platforms = platforms.linux;
license = licenses.bsd2;
maintainers = with maintainers; [ eelco fpletz ];
};
}