From patchwork Sun Apr 17 21:01:07 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 723 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 4561C27BBEA; Sun, 17 Apr 2022 22:02:13 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 0143C27BBE9 for ; Sun, 17 Apr 2022 22:02:13 +0100 (BST) Received: from localhost ([::1]:37764 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ngC28-0005eI-7G for patchwork@mira.cbaines.net; Sun, 17 Apr 2022 17:02:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60244) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ngC1y-0005bG-VE for guix-patches@gnu.org; Sun, 17 Apr 2022 17:02:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:43486) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ngC1y-0008Ji-Jb for guix-patches@gnu.org; Sun, 17 Apr 2022 17:02:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ngC1y-0001we-HF for guix-patches@gnu.org; Sun, 17 Apr 2022 17:02:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#54997] [PATCH 00/12] Add "least authority" program wrapper Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 17 Apr 2022 21:02:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 54997 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 54997@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16502292867432 (code B ref -1); Sun, 17 Apr 2022 21:02:02 +0000 Received: (at submit) by debbugs.gnu.org; 17 Apr 2022 21:01:26 +0000 Received: from localhost ([127.0.0.1]:37383 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ngC1O-0001vn-0d for submit@debbugs.gnu.org; Sun, 17 Apr 2022 17:01:26 -0400 Received: from lists.gnu.org ([209.51.188.17]:53320) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ngC1M-0001vg-8o for submit@debbugs.gnu.org; Sun, 17 Apr 2022 17:01:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60028) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ngC1J-0005Os-VL for guix-patches@gnu.org; Sun, 17 Apr 2022 17:01:24 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:58326) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1ngC1J-0008EY-Mm; Sun, 17 Apr 2022 17:01:21 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to: references; bh=FvJpE7nukYqYvkiFQWBCQjnHoU335xkw3YOLTcuc+aw=; b=aKZniBCTJZe6GR ppm7r8KU23456/5tqZO5GhVWgBxRyc49yjed3cq7wRZVbtBwiR/Rlb6qlrB67fAxjtUKj7xyCwPAk MqRR0FaGkbxI6s7MYkRNNHTrdHqLJf0ykOW8FYiOTaeh4s6cOWfAZu7QZOsSgC8PgyQ1qniHQR79d 00chtfOC+7NeVh8bxESEGPJZvpSNbIVhRGk7Awa8wFqQRZapa2sSWHBkm/mVwU1S0PPmAJB4zJxSn N7jHqgBbW936UBBSrZTeC4M4flAfs9xycveP73bteKNNUc/Cehgi3OpQA98q19qsAUMlo/wcg7Omd bMkTgnZ5Z/ktKmupC5Fg==; Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=38868 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1ngC1H-0004Hq-To; Sun, 17 Apr 2022 17:01:20 -0400 From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Sun, 17 Apr 2022 23:01:07 +0200 Message-Id: <20220417210107.27263-1-ludo@gnu.org> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches Hello Guix! So we have this fancy ‘make-forkexec-constructor/container’ thing to spawn Shepherd services in a container: https://guix.gnu.org/en/blog/2017/running-system-services-in-containers/ It’s nice, but it doesn’t compose. What if you want an inetd-style service *and* have it run in a container? We certainly don’t want to end up defining ‘make-inetd-constructor/container’ and so on. Instead, the new (guix least-authority) module provides a way to create “least-authority wrappers” for a given program: the wrapper forks[*] a process that lives in separate namespaces, with ‘call-with-container’, sets up bind mounts and everything in the child, and executes the program in that environment. ([*] I considered using unshare(2) instead of forking but that doesn’t quite work, notably because the process itself would remain in the same PID namespace as its parent.) Subsequent patches change most, but not all, users of ‘make-forkexec-constructor/container’ to ‘least-authority-wrapper’. One situation where ‘make-forkexec-constructor/container’ cannot be replaced yet is when we rely on #:pid-file, as is the case for Tor (‘make-forkexec-constructor/container’ goes to great lengths to read PID files in the container and be happy with a PID that is only valid within that namespace.) The remaining users are Jami and Pagekite; that is left as an exercise to the reader. :-) I have plans to use ‘least-authority-wrapper’ in other contexts, in particular as the basis of a new package transformation option. Thoughts? Ludo’. Ludovic Courtès (12): gexp: Add 'references-file'. file-systems: Avoid load-time warnings when attempting to load (guix store). linux-container: 'call-with-container' relays SIGTERM and SIGINT. Add (guix least-authority). services: dicod: Rewrite using 'least-authority-wrapper'. services: dicod: Use 'make-inetd-constructor'. services: bitlbee: Use 'make-inetd-constructor'. services: ipfs: Adjust for Shepherd 0.9. services: ipfs: Use 'least-authority-wrapper'. services: wesnothd: Grant write access to /var/run/wesnothd. services: wesnothd: Use 'least-authority-wrapper'. services: quassel: Use 'least-authority-wrapper'. Makefile.am | 1 + gnu/build/linux-container.scm | 15 ++-- gnu/build/shepherd.scm | 3 +- gnu/services/base.scm | 22 ------ gnu/services/dict.scm | 61 ++++++++++------ gnu/services/games.scm | 33 +++++++-- gnu/services/messaging.scm | 105 +++++++++++++++++---------- gnu/services/networking.scm | 118 +++++++++++++++--------------- gnu/system/file-systems.scm | 5 +- gnu/tests/messaging.scm | 21 +----- guix/gexp.scm | 43 +++++++++++ guix/least-authority.scm | 131 ++++++++++++++++++++++++++++++++++ tests/gexp.scm | 18 +++++ 13 files changed, 403 insertions(+), 173 deletions(-) create mode 100644 guix/least-authority.scm base-commit: 950f3e4f98add14f645dc4c9f8c512cac7b8a779