dhcpcd: enable sandboxing options

[Izorkin]

Description of changes

Enable sandboxing options.
Result:

systemd-analyze security dhcpcd
...
→ Overall exposure level for dhcpcd.service: 2.9 OK 🙂

cc @SuperSandro2000

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 23.05 Release Notes (or backporting 22.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[fpletz]

This might break the setup of people using networking.dhcpcd.runHook. I don't think we should go ahead with this without at least an entry in the release notes and an option to disable hardening.

[Izorkin]

This might break the setup of people using networking.dhcpcd.runHook. I don't think we should go ahead with this without at least an entry in the release notes and an option to disable hardening.

Updated PR.
Now when using networking.dhcpcd.runHook these settings are not applied.
Added relese-notes.

[Izorkin]

Resolving conflicts.

[Izorkin]

Rebased PR.

[Izorkin]

Resolved conflicts.

[Izorkin]

Small update and rebase PR.

[SuperSandro2000]

I didn't test this on my machine but if the author tested it fine for me

[SuperSandro2000]

I am no longer using dhcpcd

[Izorkin]

Rebased PR.
What is needed to get this PR merged?

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-already-reviewed/2617/2020

[flokli]

From #208780 (review), slightly highlighted:

This might break the setup of people using networking.dhcpcd.runHook. I don't think we should go ahead with this without at least an entry in the release notes and an option to disable hardening.

This is still missing said option, as well as a mention of it in the release notes.

[Izorkin]

This is still missing said option, as well as a mention of it in the release notes.

Doesn't this line disable sandbox mode?

          } // lib.optionalAttrs (cfg.runHook == "") {

[flokli]

Ah, now I understand, you don't apply sandboxing at all if there's a hook present.

addressed

[flokli]

I still hope we can get rid of scripted networking altogether, but today is not that day, so sure, let's add the sandboxing. Thanks for the PR!

[Izorkin]

Thanks!