dhcpcd: fix more permissions errors (#351225)

rnhmjoj · web-flow · commit 9a415c28ae33 · 2024-10-26T02:00:23.000+02:00
diff --git a/nixos/modules/config/resolvconf.nix b/nixos/modules/config/resolvconf.nix
@@ -161,9 +161,12 @@ in
 
         script = ''
           ${lib.getExe cfg.package} -u
-          files=(/run/resolvconf ${lib.escapeShellArgs cfg.subscriberFiles})
-          chgrp -R resolvconf "''${files[@]}"
-          chmod -R g=u "''${files[@]}"
+          chgrp resolvconf ${lib.escapeShellArgs cfg.subscriberFiles}
+          chmod g=u ${lib.escapeShellArgs cfg.subscriberFiles}
+          ${lib.getExe' pkgs.acl "setfacl"} -R \
+            -m group:resolvconf:rwx \
+            -m default:group:resolvconf:rwx \
+            /run/resolvconf
         '';
       };
 
diff --git a/nixos/modules/services/networking/dhcpcd.nix b/nixos/modules/services/networking/dhcpcd.nix
@@ -249,7 +249,7 @@ in
             ExecReload = "${dhcpcd}/sbin/dhcpcd --rebind";
             Restart = "always";
             AmbientCapabilities = [ "CAP_NET_ADMIN" "CAP_NET_RAW" "CAP_NET_BIND_SERVICE" ];
-            ReadWritePaths = [ "/proc/sys/net/ipv6" ]
+            ReadWritePaths = [ "/proc/sys/net/ipv4" "/proc/sys/net/ipv6" ]
               ++ lib.optionals useResolvConf ([ "/run/resolvconf" ] ++ config.networking.resolvconf.subscriberFiles);
             DeviceAllow = "";
             LockPersonality = true;
