tinc: chroot option

author: tg(x) <*@tg-x.net> 2016-02-10 17:29:36 +0100
committer: tg(x) <*@tg-x.net> 2016-02-10 17:29:36 +0100
commit: 5c19830b77c00f87fa67121dadeb16096a6d18e2 (patch)
tree: 830ffe06c3c39e9ef7b857321a6b64925ded9a8a /nixos/modules/services/networking/tinc.nix
parent: c76817291912904f3ed553366804488cf31169e4 (diff)
1 files changed, 11 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/tinc.nix b/nixos/modules/services/networking/tinc.nix
index a26b998b91554..9330e6c92ba8a 100644
--- a/nixos/modules/services/networking/tinc.nix
+++ b/nixos/modules/services/networking/tinc.nix
@@ -95,6 +95,16 @@ in
             '';
           };
 
+          chroot = mkOption {
+            default = true;
+            type = types.bool;
+            description = ''
+              Change process root directory to the directory where the config file is located (/etc/tinc/netname/), for added security.
+              The chroot is performed after all the initialization is done, after writing pid files and opening network sockets.
+
+              Note that tinc can't run scripts anymore (such as tinc-down or host-up), unless it is setup to be runnable inside chroot environment.
+            '';
+          };
         };
       };
     };
@@ -166,7 +176,7 @@ in
           fi
         '';
         script = ''
-          tincd -R -D -U tinc.${network} -n ${network} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel}
+          tincd -D -U tinc.${network} -n ${network} ${optionalString (data.chroot) "-R"} --pidfile /run/tinc.${network}.pid -d ${toString data.debugLevel}
         '';
       })
     );
author	tg(x) <*@tg-x.net>	2016-02-10 17:29:36 +0100
committer	tg(x) <*@tg-x.net>	2016-02-10 17:29:36 +0100
commit	5c19830b77c00f87fa67121dadeb16096a6d18e2 (patch)
tree	830ffe06c3c39e9ef7b857321a6b64925ded9a8a /nixos/modules/services/networking/tinc.nix
parent	c76817291912904f3ed553366804488cf31169e4 (diff)