From 450733beb6a3de97d5d2f6e24c618bfd8dbe6124 Mon Sep 17 00:00:00 2001 From: dkwo Date: Sat, 14 Jun 2025 19:41:58 -0400 Subject: [PATCH 1/3] dhcpcd: add unprivileged service --- srcpkgs/dhcpcd/files/dhcpcd-unprivileged/run | 16 ++++++++++++++++ srcpkgs/dhcpcd/template | 4 +++- 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 srcpkgs/dhcpcd/files/dhcpcd-unprivileged/run diff --git a/srcpkgs/dhcpcd/files/dhcpcd-unprivileged/run b/srcpkgs/dhcpcd/files/dhcpcd-unprivileged/run new file mode 100644 index 00000000000000..7ca1c5ba2b14ee --- /dev/null +++ b/srcpkgs/dhcpcd/files/dhcpcd-unprivileged/run @@ -0,0 +1,16 @@ +#!/bin/sh +exec 2>&1 +[ -r conf ] && . ./conf + +# automigrate +chown root:_dhcpcd /etc/dhcpcd.conf +chmod 640 /etc/dhcpcd.conf + +! [ -d /run/dhcpcd ] && install -m 700 -g _dhcpcd -o _dhcpcd -d /run/dhcpcd +chown -R _dhcpcd:_dhcpcd /run/dhcpcd + +exec setpriv --reuid _dhcpcd --regid _dhcpcd --clear-groups \ + --ambient-caps -all,+net_admin,+net_raw,+net_bind_service \ + --inh-caps -all,+net_admin,+net_raw,+net_bind_service \ + --bounding-set -all,+net_admin,+net_raw,+net_bind_service \ + --no-new-privs -- dhcpcd -B ${OPTS:=-M} diff --git a/srcpkgs/dhcpcd/template b/srcpkgs/dhcpcd/template index b558c7b6dc82dd..fc1be5d687cbc3 100644 --- a/srcpkgs/dhcpcd/template +++ b/srcpkgs/dhcpcd/template @@ -1,7 +1,7 @@ # Template file for 'dhcpcd' pkgname=dhcpcd version=10.3.1 -revision=1 +revision=2 build_style=configure make_check_target=test configure_args=" @@ -21,6 +21,7 @@ conf_files=/etc/dhcpcd.conf system_accounts="_dhcpcd" _dhcpcd_homedir="/var/db/dhcpcd" +make_dirs="/var/db/dhcpcd 0770 root _dhcpcd" build_options="privsep" desc_option_privsep="Enable privilege separation mode for the daemon" @@ -28,6 +29,7 @@ desc_option_privsep="Enable privilege separation mode for the daemon" post_install() { vsv dhcpcd vsv dhcpcd-eth0 + vsv dhcpcd-unprivileged # Enable controlgroup by default, to make dhcpcd-ui work. vsed -e 's,^#\(controlgroup.*\),\1,' -i ${DESTDIR}/etc/dhcpcd.conf From 60e67b9efd64a202d8bd6f3eb15e5197f34ad6a4 Mon Sep 17 00:00:00 2001 From: dkwo Date: Mon, 16 Feb 2026 11:21:05 -0500 Subject: [PATCH 2/3] dhcpcd: landlock unpriv service --- srcpkgs/dhcpcd/files/dhcpcd-unprivileged/run | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/srcpkgs/dhcpcd/files/dhcpcd-unprivileged/run b/srcpkgs/dhcpcd/files/dhcpcd-unprivileged/run index 7ca1c5ba2b14ee..60f2380a76a013 100644 --- a/srcpkgs/dhcpcd/files/dhcpcd-unprivileged/run +++ b/srcpkgs/dhcpcd/files/dhcpcd-unprivileged/run @@ -10,7 +10,16 @@ chmod 640 /etc/dhcpcd.conf chown -R _dhcpcd:_dhcpcd /run/dhcpcd exec setpriv --reuid _dhcpcd --regid _dhcpcd --clear-groups \ - --ambient-caps -all,+net_admin,+net_raw,+net_bind_service \ - --inh-caps -all,+net_admin,+net_raw,+net_bind_service \ + --ambient-caps +net_admin,+net_raw,+net_bind_service \ + --inh-caps +net_admin,+net_raw,+net_bind_service \ --bounding-set -all,+net_admin,+net_raw,+net_bind_service \ + --landlock-access fs \ + --landlock-rule path-beneath:read-file:/proc/sys/net \ + --landlock-rule path-beneath:read-file:/dev/null \ + --landlock-rule path-beneath:read-file:/etc/group \ + --landlock-rule path-beneath:read-file:/etc/dhcpcd.conf \ + --landlock-rule path-beneath:read-file,execute:/usr/bin/dhcpcd \ + --landlock-rule path-beneath:read-file,execute:/usr/lib \ + --landlock-rule path-beneath:execute,write-file,read-file,read-dir,remove-dir,remove-file,make-char,make-dir,make-reg,make-sock,make-fifo,make-block,make-sym,refer,truncate:/run/dhcpcd \ + --landlock-rule path-beneath:execute,write-file,read-file,read-dir,remove-dir,remove-file,make-char,make-dir,make-reg,make-sock,make-fifo,make-block,make-sym,refer,truncate:/var/db/dhcpcd \ --no-new-privs -- dhcpcd -B ${OPTS:=-M} From a7cbabbd13ce94c5b0b7126aa0b8719b6a882921 Mon Sep 17 00:00:00 2001 From: dkwo Date: Mon, 16 Mar 2026 10:11:59 +0800 Subject: [PATCH 3/3] Revert "dhcpcd: landlock unpriv service" This reverts commit 1fb9923de9f8ce5aef17c5776505c8483e3eaf2f. --- srcpkgs/dhcpcd/files/dhcpcd-unprivileged/run | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/srcpkgs/dhcpcd/files/dhcpcd-unprivileged/run b/srcpkgs/dhcpcd/files/dhcpcd-unprivileged/run index 60f2380a76a013..7ca1c5ba2b14ee 100644 --- a/srcpkgs/dhcpcd/files/dhcpcd-unprivileged/run +++ b/srcpkgs/dhcpcd/files/dhcpcd-unprivileged/run @@ -10,16 +10,7 @@ chmod 640 /etc/dhcpcd.conf chown -R _dhcpcd:_dhcpcd /run/dhcpcd exec setpriv --reuid _dhcpcd --regid _dhcpcd --clear-groups \ - --ambient-caps +net_admin,+net_raw,+net_bind_service \ - --inh-caps +net_admin,+net_raw,+net_bind_service \ + --ambient-caps -all,+net_admin,+net_raw,+net_bind_service \ + --inh-caps -all,+net_admin,+net_raw,+net_bind_service \ --bounding-set -all,+net_admin,+net_raw,+net_bind_service \ - --landlock-access fs \ - --landlock-rule path-beneath:read-file:/proc/sys/net \ - --landlock-rule path-beneath:read-file:/dev/null \ - --landlock-rule path-beneath:read-file:/etc/group \ - --landlock-rule path-beneath:read-file:/etc/dhcpcd.conf \ - --landlock-rule path-beneath:read-file,execute:/usr/bin/dhcpcd \ - --landlock-rule path-beneath:read-file,execute:/usr/lib \ - --landlock-rule path-beneath:execute,write-file,read-file,read-dir,remove-dir,remove-file,make-char,make-dir,make-reg,make-sock,make-fifo,make-block,make-sym,refer,truncate:/run/dhcpcd \ - --landlock-rule path-beneath:execute,write-file,read-file,read-dir,remove-dir,remove-file,make-char,make-dir,make-reg,make-sock,make-fifo,make-block,make-sym,refer,truncate:/var/db/dhcpcd \ --no-new-privs -- dhcpcd -B ${OPTS:=-M}