Message ID | YFFl6C4hBQTLBXNO@jasmine.lan |
---|---|
State | Accepted |
Headers | show |
Series | [bug#47013,v4] gnu: Harden filesystem links. | expand |
Context | Check | Description |
---|---|---|
cbaines/comparison | success | View comparision |
cbaines/git branch | success | View Git branch |
cbaines/applying patch | fail | View Laminar job |
cbaines/issue | success | View issue |
Hi, Leo Famulari <leo@famulari.name> skribis: > On Tue, Mar 16, 2021 at 08:54:52PM -0400, Leo Famulari wrote: >> As a compromise, we could create a new variable %default-sysctl-settings >> and add a sysctl-service-type in %base-services that uses that variable. > > Here is a v4 patch that implements this. I wasn't sure where to put > %default-sysctl-settings, so it's in (gnu services sysctl). > > From my naive perspective, it seemed to me that it belongs in (gnu > system), but when I exported it from there, and imported (gnu system) in > (gnu services base), building Guix crashes like this: > > ------ > [ 12%] LOAD guix/scripts/system.scm > ice-9/eval.scm:293:34: error: %default-sysctl-settings: unbound variable > hint: Did you forget `(use-modules (gnu system))'? Yeah, some circular module dependency. I propose this minor change: > +++ b/gnu/services/base.scm > @@ -35,6 +35,7 @@ > #:use-module (gnu services) > #:use-module (gnu services admin) > #:use-module (gnu services shepherd) > + #:use-module (gnu services sysctl) > #:use-module (gnu system pam) > #:use-module (gnu system shadow) ; 'user-account', etc. > #:use-module (gnu system uuid) > @@ -2532,6 +2533,10 @@ to handle." > (udev-configuration > (rules (list lvm2 fuse alsa-utils crda)))) > > + (service sysctl-service-type > + (sysctl-configuration > + (settings %default-sysctl-settings))) Write (service sysctl-service-type) here, and… > +++ b/gnu/services/sysctl.scm > @@ -25,7 +25,8 @@ > #:use-module (srfi srfi-1) > #:use-module (ice-9 match) > #:export (sysctl-configuration > - sysctl-service-type)) > + sysctl-service-type > + %default-sysctl-settings)) > > > ;;; > @@ -74,3 +75,8 @@ > (settings (append (sysctl-configuration-settings config) > settings))))) > (default-value (sysctl-configuration)))) > + > +(define %default-sysctl-settings > + ;; Default kernel parameters enabled with sysctl. > + '(("fs.protected_hardlinks" . "1") > + ("fs.protected_symlinks" . "1"))) … change the default value of the ‘settings’ field of <sysctl-configuration> to be ‘%default-sysctl-settings’. We should also add a @defvr and adjust guix.texi accordingly. WDYT? Thanks, Ludo’.
On Wed, Mar 17, 2021 at 09:49:04PM +0100, Ludovic Courtès wrote: > [...] > … change the default value of the ‘settings’ field of > <sysctl-configuration> to be ‘%default-sysctl-settings’. > > We should also add a @defvr and adjust guix.texi accordingly. > > WDYT? Sure, I'll implement your suggestions and send a v5 patch.
diff --git a/gnu/services/base.scm b/gnu/services/base.scm index f6a490f712..eaa86ffb68 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -35,6 +35,7 @@ #:use-module (gnu services) #:use-module (gnu services admin) #:use-module (gnu services shepherd) + #:use-module (gnu services sysctl) #:use-module (gnu system pam) #:use-module (gnu system shadow) ; 'user-account', etc. #:use-module (gnu system uuid) @@ -2532,6 +2533,10 @@ to handle." (udev-configuration (rules (list lvm2 fuse alsa-utils crda)))) + (service sysctl-service-type + (sysctl-configuration + (settings %default-sysctl-settings))) + (service special-files-service-type `(("/bin/sh" ,(file-append bash "/bin/sh")) ("/usr/bin/env" ,(file-append coreutils "/bin/env")))))) diff --git a/gnu/services/sysctl.scm b/gnu/services/sysctl.scm index eb7a61b2a9..dbf918eb3a 100644 --- a/gnu/services/sysctl.scm +++ b/gnu/services/sysctl.scm @@ -25,7 +25,8 @@ #:use-module (srfi srfi-1) #:use-module (ice-9 match) #:export (sysctl-configuration - sysctl-service-type)) + sysctl-service-type + %default-sysctl-settings)) ;;; @@ -74,3 +75,8 @@ (settings (append (sysctl-configuration-settings config) settings))))) (default-value (sysctl-configuration)))) + +(define %default-sysctl-settings + ;; Default kernel parameters enabled with sysctl. + '(("fs.protected_hardlinks" . "1") + ("fs.protected_symlinks" . "1")))