WIP: Implement Linux DNS support via systemd-resolved#2575
Open
jmariondev wants to merge 2 commits intozerotier:devfrom
Open
WIP: Implement Linux DNS support via systemd-resolved#2575jmariondev wants to merge 2 commits intozerotier:devfrom
jmariondev wants to merge 2 commits intozerotier:devfrom
Conversation
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
|
Drop capabilities, close inherited file descriptors, and sanitize the environment before execing resolvectl. The ZeroTier daemon retains CAP_NET_ADMIN/CAP_NET_RAW as ambient capabilities after dropping root, which were being inherited by child processes unnecessarily. resolvectl only needs D-Bus access to systemd-resolved. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Author
|
I've added a second commit that focuses on subprocess security. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements
LinuxEthernetTap::setDns. TheallowDNSnetwork flag now works on Linux, matching existing Windows and macOS behavior.This partially addresses #2492 , though has only been tested on Fedora 43. The polkit approach may need to be fixed for Debian/Ubuntu.
Approach
LinuxDNSHelperclass following the same pattern asWinDNSHelperandMacDNSHelperresolvectl dns <iface> <servers>andresolvectl domain <iface> ~<domain>to configure per-interface DNS routing viasystemd-resolved, the recommended approach for VPN-like services~domain prefix configures a route-only domain (not a search domain), so queries matching that suffix are routed to the ZT DNS servers without polluting global resolutionresolvectl revert <iface>in the destructor and whenallowDNSis toggled offfork/execmatching the existing_routeCmdpattern inManagedRoute.cppNon-systemd systems
Checks for
/run/systemd/resolve/stub-resolv.confbefore attempting anyresolvectlcalls. Ifsystemd-resolvedis not active,setDNSlogs a warning pointing to #2492 and returns.polkit rule
(This was developed for Fedora, I'm not sure of the Debian/Ubuntu situation here)
ZeroTier drops root privileges to the
zerotier-oneuser at startup (retainingCAP_NET_ADMIN/CAP_NET_RAW). However,systemd-resolvedchecks polkit identity — not capabilities — for DNS changes. A polkit rule is included and installed by the RPM spec to grant thezerotier-oneuser access toorg.freedesktop.resolve1.{set-dns-servers,set-domains,revert}.Interface name vs network ID
Unlike Windows/macOS helpers which take a network ID,
LinuxDNSHelpertakes an interface name becauseresolvectloperates on interfaces.This PR was created with help from Claude.