[bug#77396,v2,1/2] least-authority: Preserve systemd LISTEN_* environment variables.
| Message ID | a9698fbc790a5ab4a1eabd9a65dd552077a29f7b.1743662589.git.maxim.cournoyer@gmail.com |
|---|---|
| State | New |
| Headers |
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 9F56F27BBEA; Thu, 3 Apr 2025 07:44:27 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED,DKIM_VALID,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_CERTIFIED, RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 1575427BBE2 for <patchwork@mira.cbaines.net>; Thu, 3 Apr 2025 07:44:27 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <guix-patches-bounces@gnu.org>) id 1u0EJ7-0008D5-RG; Thu, 03 Apr 2025 02:44:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1u0EJ6-0008CX-FB for guix-patches@gnu.org; Thu, 03 Apr 2025 02:44:08 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1u0EJ5-0001X0-CY; Thu, 03 Apr 2025 02:44:07 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:In-Reply-To:References:Subject; bh=9dx0P1Az3ScDvUq8kR6JJfEWO73dI45oYtmmbmn8ZM8=; b=uJrssEwDblGRBa3jTTDvI44FWBkUCXI/GnQh6OwbesALT19lI/wTmpf1Ws1eqw6+3dEcq9ZJ64HCzWsBvOr9iqM5XeOOgEFgHlkfze/mDkJS36QPHwEoyDTgA0eZpEO//HAKgE2iuM+xje865e4wFjRJgKvM69EIFLNYimvrkC8ocDfgj0AJ+7X3kv7JyV6tS84+BXFNTDKfbmnatyj42UpFKDZDBwA3+sAzDX/bsImovySNdLYC4KplOEvUuSNhSQrMlZK8ImeQsN/WLmLW7CJv5zaGJkEipRwGMHpJiF//5iTweNMwlvaQHBs5x6yq72E+v67+9Ow2e0vZrxsD2A==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1u0EJ0-0004eW-F5; Thu, 03 Apr 2025 02:44:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77396] [PATCH v2 1/2] least-authority: Preserve systemd LISTEN_* environment variables. References: <e8da2ebdf9ad02a4a374fe95c3bc08c6495ba4e3.1743388068.git.maxim.cournoyer@gmail.com> In-Reply-To: <e8da2ebdf9ad02a4a374fe95c3bc08c6495ba4e3.1743388068.git.maxim.cournoyer@gmail.com> Resent-From: Maxim Cournoyer <maxim.cournoyer@gmail.com> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: maxim.cournoyer@gmail.com, ludo@gnu.org, guix@cbaines.net, dev@jpoiret.xyz, othacehe@gnu.org, zimon.toutoune@gmail.com, me@tobias.gr, guix-patches@gnu.org Resent-Date: Thu, 03 Apr 2025 06:44:02 +0000 Resent-Message-ID: <handler.77396.B77396.174366264017869@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77396 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77396@debbugs.gnu.org Cc: Maxim Cournoyer <maxim.cournoyer@gmail.com>, Maxim Cournoyer <maxim.cournoyer@gmail.com>, Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>, Christopher Baines <guix@cbaines.net>, Josselin Poiret <dev@jpoiret.xyz>, Mathieu Othacehe <othacehe@gnu.org>, Simon Tournier <zimon.toutoune@gmail.com>, Tobias Geerinckx-Rice <me@tobias.gr> X-Debbugs-Original-Xcc: Maxim Cournoyer <maxim.cournoyer@gmail.com>, Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>, Christopher Baines <guix@cbaines.net>, Josselin Poiret <dev@jpoiret.xyz>, Mathieu Othacehe <othacehe@gnu.org>, Simon Tournier <zimon.toutoune@gmail.com>, Tobias Geerinckx-Rice <me@tobias.gr> Received: via spool by 77396-submit@debbugs.gnu.org id=B77396.174366264017869 (code B ref 77396); Thu, 03 Apr 2025 06:44:02 +0000 Received: (at 77396) by debbugs.gnu.org; 3 Apr 2025 06:44:00 +0000 Received: from localhost ([127.0.0.1]:60595 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>) id 1u0EIx-0004e9-O9 for submit@debbugs.gnu.org; Thu, 03 Apr 2025 02:44:00 -0400 Received: from mail-pf1-x42e.google.com ([2607:f8b0:4864:20::42e]:52227) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from <maxim.cournoyer@gmail.com>) id 1u0EIu-0004dr-Nf for 77396@debbugs.gnu.org; Thu, 03 Apr 2025 02:43:57 -0400 Received: by mail-pf1-x42e.google.com with SMTP id d2e1a72fcca58-7340e6f3ce1so423526b3a.0 for <77396@debbugs.gnu.org>; Wed, 02 Apr 2025 23:43:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1743662630; x=1744267430; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=9dx0P1Az3ScDvUq8kR6JJfEWO73dI45oYtmmbmn8ZM8=; b=RtyIsf+/GiER7qmmeLnpTK8DuayKVpJO8LyBID5shtGSJrcFG2m7Q1n8y0Sckl7fmm kzaaNbt9BvAL5BgO1r4LrnroG7Fjp0iwBPQ2qSieBln5ZxUaHCENqiHt+FPD4z5oI6Rh lOvzP25QI4CfC+groQHfI2HdoEi0J0y8HQnW8JYbj5ddQCkvm2evKnFdoPKRh1GfmbdF e8xTeiaPwo+8tqetL7ffXj6DJMVg85DnrykarR7ACCyJgefMbevjdRpDZ9n4fh9K6YKi HYF1ypuQ/sXDTp64cL5xGUD3ifypvCcrPsb4ADJCi9mFcRNSVYMOpvEs7NJM8X4K66Fz nqog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743662630; x=1744267430; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9dx0P1Az3ScDvUq8kR6JJfEWO73dI45oYtmmbmn8ZM8=; b=PHCBbfElblShkqo+EURMVTNeCa7wBf0f3b5ucJq9uhL86vSvPDgYEW2ILeKUYZYTqQ OdX1tk4gy4V3Q5mQSVHUxzpHiOs4gyFLVbgmTr/wwmCkmXY85TZS25t76lw7XtDb6vHU A4+CvdCiFr8iZwBhhwW0nTADXcCdbpieipaVqWWu8DWVAXVurqkFMVDAJk3bpkpwrQu5 a9NzxUE38frF3t8rMLwPNXzY7skCSkvAU6LK7alW3O2iFPnneFZfZ61R2FCKs5dl0CJA tsGnfM5rzQ8NsG0davIm3rGbXWLQG8tqzd5jbmKyF9PaGOEwht3GbROvBmZQw9cVowcY zKsQ== X-Gm-Message-State: AOJu0YzJFoaC8cSkFvKDlzjYM93pac9QiJdtrHZXFevPqBTX/QLTuLfd 8+KLKcPn/KJoc7e2UcxrzuSbV/SXRc5YA58KVlKAEWJw2sz6Qf8UNp4Z3A== X-Gm-Gg: ASbGnctsTnxaHo7nNZOmlCv2N7nrAefp+cnZyON2M634oFwYZcdeFmMxPiJ7NDwwObx jG4aEvVRcCVMvWs1rvTX76Cs+WYyfNeJ9QTg+hG7scxMsOHOeZYzl4u1/NA/H//jjNJanARxnSi pevmqqud/cukjvGgd/p7UfCwyv4gc4ou+gTjgXrpicZYQPFuqNvSZtV9ktyTDk/FX+kxOY7ncD5 QwGoR+ihIDM9idtK5dzh8/Sw6zvgRA2s+IPxK4oRdqy/CUdeB+ztC2Q9wHqSnvnN6nrf3AxQOWm WUIkx8Q1xqxKiDFzg1M7Zf5X0QJZAF2oIKgMgtxQE/BA5uggWw3AE5oCRLzTERS3 X-Google-Smtp-Source: AGHT+IEscBv7p1DThmgFNQTu/hv+dUJo73dXLBv6jcoprko6wzkejHHlNlrj8/wOwASh2ERmJavKtg== X-Received: by 2002:a05:6a20:c90d:b0:1f5:a3e8:64dd with SMTP id adf61e73a8af0-200f713321cmr2705400637.0.1743662630051; Wed, 02 Apr 2025 23:43:50 -0700 (PDT) Received: from localhost.localdomain ([2405:6586:be0:0:83c8:d31d:2cec:f542]) by smtp.gmail.com with ESMTPSA id 41be03b00d2f7-af9bc330489sm527711a12.32.2025.04.02.23.43.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 02 Apr 2025 23:43:49 -0700 (PDT) From: Maxim Cournoyer <maxim.cournoyer@gmail.com> Date: Thu, 3 Apr 2025 15:43:24 +0900 Message-ID: <a9698fbc790a5ab4a1eabd9a65dd552077a29f7b.1743662589.git.maxim.cournoyer@gmail.com> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: <guix-patches.gnu.org> List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=unsubscribe> List-Archive: <https://lists.gnu.org/archive/html/guix-patches> List-Post: <mailto:guix-patches@gnu.org> List-Help: <mailto:guix-patches-request@gnu.org?subject=help> List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=subscribe> Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches |
| Series |
[bug#77396,v2,1/2] least-authority: Preserve systemd LISTEN_* environment variables.
|
|
Commit Message
Maxim Cournoyer
April 3, 2025, 6:43 a.m. UTC
Otherwise, combining make-systemd-constructor with least-authority-wrapper would not work correctly out of the box. * guix/least-authority.scm (%precious-variables): Rename to... (%default-preserved-environment-variables): ... this, and export it. Add "LISTEN_PID" "LISTEN_FDS" "LISTEN_FDNAMES" environment variables. (least-authority-wrapper): Adjust accordingly. Change-Id: Idd259b15463920965f530e1917d76bf97def3b7b --- guix/least-authority.scm | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) base-commit: 8c43056aabc2d22da61dc86049b143f7ae1ef516
Comments
Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis: > Otherwise, combining make-systemd-constructor with least-authority-wrapper > would not work correctly out of the box. > > * guix/least-authority.scm (%precious-variables): Rename to... > (%default-preserved-environment-variables): ... this, and export it. > Add "LISTEN_PID" "LISTEN_FDS" "LISTEN_FDNAMES" environment variables. > (least-authority-wrapper): Adjust accordingly. > > Change-Id: Idd259b15463920965f530e1917d76bf97def3b7b [...] > -(define %precious-variables > +(define %default-preserved-environment-variables > ;; Environment variables preserved by the wrapper by default. > - '("HOME" "USER" "LOGNAME" "DISPLAY" "XAUTHORITY" "TERM" "TZ" "PAGER")) > + '("HOME" "USER" "LOGNAME" "DISPLAY" "XAUTHORITY" "TERM" "TZ" "PAGER" > + "LISTEN_PID" "LISTEN_FDS" "LISTEN_FDNAMES")) ;for make-systemd-constructor I would not export this variable, but otherwise LGTM! Thanks, Ludo’.
Hi Ludovic, Ludovic Courtès <ludo@gnu.org> writes: > Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis: > >> Otherwise, combining make-systemd-constructor with least-authority-wrapper >> would not work correctly out of the box. >> >> * guix/least-authority.scm (%precious-variables): Rename to... >> (%default-preserved-environment-variables): ... this, and export it. >> Add "LISTEN_PID" "LISTEN_FDS" "LISTEN_FDNAMES" environment variables. >> (least-authority-wrapper): Adjust accordingly. >> >> Change-Id: Idd259b15463920965f530e1917d76bf97def3b7b > > [...] > >> -(define %precious-variables >> +(define %default-preserved-environment-variables >> ;; Environment variables preserved by the wrapper by default. >> - '("HOME" "USER" "LOGNAME" "DISPLAY" "XAUTHORITY" "TERM" "TZ" "PAGER")) >> + '("HOME" "USER" "LOGNAME" "DISPLAY" "XAUTHORITY" "TERM" "TZ" "PAGER" >> + "LISTEN_PID" "LISTEN_FDS" "LISTEN_FDNAMES")) ;for make-systemd-constructor > > I would not export this variable, but otherwise LGTM! It aims to make extending the list easier. Otherwise one has to peek into the code, and copy the existing list to be consed to. Perhaps you mean that you don't think this should be extensible? And if something important is missing we can simply add it like I've done for the LISTEN_* variables here?
Hi, Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis: > Ludovic Courtès <ludo@gnu.org> writes: > >> Maxim Cournoyer <maxim.cournoyer@gmail.com> skribis: >> >>> Otherwise, combining make-systemd-constructor with least-authority-wrapper >>> would not work correctly out of the box. >>> >>> * guix/least-authority.scm (%precious-variables): Rename to... >>> (%default-preserved-environment-variables): ... this, and export it. >>> Add "LISTEN_PID" "LISTEN_FDS" "LISTEN_FDNAMES" environment variables. >>> (least-authority-wrapper): Adjust accordingly. >>> >>> Change-Id: Idd259b15463920965f530e1917d76bf97def3b7b >> >> [...] >> >>> -(define %precious-variables >>> +(define %default-preserved-environment-variables >>> ;; Environment variables preserved by the wrapper by default. >>> - '("HOME" "USER" "LOGNAME" "DISPLAY" "XAUTHORITY" "TERM" "TZ" "PAGER")) >>> + '("HOME" "USER" "LOGNAME" "DISPLAY" "XAUTHORITY" "TERM" "TZ" "PAGER" >>> + "LISTEN_PID" "LISTEN_FDS" "LISTEN_FDNAMES")) ;for make-systemd-constructor >> >> I would not export this variable, but otherwise LGTM! > > It aims to make extending the list easier. Otherwise one has to peek > into the code, and copy the existing list to be consed to. Ah yes, that makes sense to me. Let’s export it then! Ludo’.
Hi Ludovic, Ludovic Courtès <ludo@gnu.org> writes: [...] >>>> -(define %precious-variables >>>> +(define %default-preserved-environment-variables >>>> ;; Environment variables preserved by the wrapper by default. >>>> - '("HOME" "USER" "LOGNAME" "DISPLAY" "XAUTHORITY" "TERM" "TZ" "PAGER")) >>>> + '("HOME" "USER" "LOGNAME" "DISPLAY" "XAUTHORITY" "TERM" "TZ" "PAGER" >>>> + "LISTEN_PID" "LISTEN_FDS" "LISTEN_FDNAMES")) ;for make-systemd-constructor >>> >>> I would not export this variable, but otherwise LGTM! >> >> It aims to make extending the list easier. Otherwise one has to peek >> into the code, and copy the existing list to be consed to. > > Ah yes, that makes sense to me. Let’s export it then! I had already pushed this without exporting it. Let's revisit the next time we have a reason to extend the list.
diff --git a/guix/least-authority.scm b/guix/least-authority.scm index 3465fe9a48..cd846aaa61 100644 --- a/guix/least-authority.scm +++ b/guix/least-authority.scm @@ -26,7 +26,8 @@ (define-module (guix least-authority) spec->file-system file-system->spec file-system-mapping->bind-mount) - #:export (least-authority-wrapper)) + #:export (least-authority-wrapper + %default-preserved-environment-variables)) ;;; Commentary: ;;; @@ -35,9 +36,10 @@ (define-module (guix least-authority) ;;; ;;; Code: -(define %precious-variables +(define %default-preserved-environment-variables ;; Environment variables preserved by the wrapper by default. - '("HOME" "USER" "LOGNAME" "DISPLAY" "XAUTHORITY" "TERM" "TZ" "PAGER")) + '("HOME" "USER" "LOGNAME" "DISPLAY" "XAUTHORITY" "TERM" "TZ" "PAGER" + "LISTEN_PID" "LISTEN_FDS" "LISTEN_FDNAMES")) ;for make-systemd-constructor (define* (least-authority-wrapper program #:key (name "pola-wrapper") @@ -49,7 +51,7 @@ (define* (least-authority-wrapper program (namespaces %namespaces) (directory "/") (preserved-environment-variables - %precious-variables)) + %default-preserved-environment-variables)) "Return a wrapper of PROGRAM that executes it with the least authority. PROGRAM is executed in separate namespaces according to NAMESPACES, a list of