From 3c63da7cf87473423a8138a82fbec59b9684d1c6 Mon Sep 17 00:00:00 2001 From: Luflosi Date: Wed, 23 Feb 2022 21:57:05 +0100 Subject: [PATCH] nixos/tor: allow tor to read resolv.conf when using resolved When `services.resolved.enable` is set to true, the file /etc/resolv.conf becomes a symlink to /etc/static/resolv.conf, which is a symlink to /run/systemd/resolve/stub-resolv.conf. Without this commit, tor does not have access to this file thanks to systemd confinement. This results in the following warning when tor starts: ``` [warn] Unable to stat resolver configuration in '/etc/resolv.conf': No such file or directory [warn] Could not read your DNS config from '/etc/resolv.conf' - please investigate your DNS configuration. This is possibly a problem. Meanwhile, falling back to local DNS at 127.0.0.1. ``` To fix this, simply allow read-only access to the file when resolved is in use. According to https://github.com/NixOS/nixpkgs/pull/161818#discussion_r824820462, the symlink may also point to /run/systemd/resolve/resolv.conf, so allow that as well. --- nixos/modules/services/security/tor.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix index 3bf70c4aa4fc..ddd216ca7fd0 100644 --- a/nixos/modules/services/security/tor.nix +++ b/nixos/modules/services/security/tor.nix @@ -1008,7 +1008,11 @@ in #InaccessiblePaths = [ "-+${runDir}/root" ]; UMask = "0066"; BindPaths = [ stateDir ]; - BindReadOnlyPaths = [ storeDir "/etc" ]; + BindReadOnlyPaths = [ storeDir "/etc" ] ++ + optionals config.services.resolved.enable [ + "/run/systemd/resolve/stub-resolv.conf" + "/run/systemd/resolve/resolv.conf" + ]; AmbientCapabilities = [""] ++ lib.optional bindsPrivilegedPort "CAP_NET_BIND_SERVICE"; CapabilityBoundingSet = [""] ++ lib.optional bindsPrivilegedPort "CAP_NET_BIND_SERVICE"; # ProtectClock= adds DeviceAllow=char-rtc r