| Message ID | 20220427165635.8015-1-ludo@gnu.org |
|---|---|
| Headers | show
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 6AAF227BBEB; Wed, 27 Apr 2022 18:02:04 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id E580127BBE9 for <patchwork@mira.cbaines.net>; Wed, 27 Apr 2022 18:02:03 +0100 (BST) Received: from localhost ([::1]:34708 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>) id 1njl3D-0001R1-4N for patchwork@mira.cbaines.net; Wed, 27 Apr 2022 13:02:03 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34536) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1njkye-0003VE-5z for guix-patches@gnu.org; Wed, 27 Apr 2022 12:57:21 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:50229) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1njkyO-00055V-HJ for guix-patches@gnu.org; Wed, 27 Apr 2022 12:57:19 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1njkyL-0003op-UL; Wed, 27 Apr 2022 12:57:01 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#54997] [PATCH v2 00/15] Add "least authority" program wrapper Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: bauermann@kolabnow.com, maximedevos@telenet.be, guix-patches@gnu.org Resent-Date: Wed, 27 Apr 2022 16:57:01 +0000 Resent-Message-ID: <handler.54997.B54997.165107861714654@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 54997 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 54997@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>, Thiago Jung Bauermann <bauermann@kolabnow.com>, Maxime Devos <maximedevos@telenet.be> X-Debbugs-Original-Xcc: Thiago Jung Bauermann <bauermann@kolabnow.com>, Maxime Devos <maximedevos@telenet.be> Received: via spool by 54997-submit@debbugs.gnu.org id=B54997.165107861714654 (code B ref 54997); Wed, 27 Apr 2022 16:57:01 +0000 Received: (at 54997) by debbugs.gnu.org; 27 Apr 2022 16:56:57 +0000 Received: from localhost ([127.0.0.1]:44101 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>) id 1njkyH-0003o6-5x for submit@debbugs.gnu.org; Wed, 27 Apr 2022 12:56:57 -0400 Received: from eggs.gnu.org ([209.51.188.92]:41140) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <ludo@gnu.org>) id 1njkyE-0003nP-SA for 54997@debbugs.gnu.org; Wed, 27 Apr 2022 12:56:55 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:59996) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@gnu.org>) id 1njky8-00052f-Pj; Wed, 27 Apr 2022 12:56:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=iL3RD1B1BoNLfIKWvnuNl97WsFklxgQCCMaYNuauLD4=; b=CMwUELkPm6vnMfC8t5v7 0WCAsQEEKQchG3pIkabQZDLq6/8gZ0CabKrMoqoM0a3YL0UlfJ3eouIH0TgvZSJLvTr04yN5hsDti dfWIKy/q+FhBvTJO9s8hG1ajbGMaS5mI47l9X+6yXBzhItRkyZYb6uVV2y2cjRh97gU7J79Cuo5kx qtfYUrnGDqWOMJJlUQbcJGRsAfvOhAFYk4Gt3tZfsHZJt+Jh2hHcfRTf9kHSKFHM9RYPaJy6kfZbT 9/mSD5mTN6G1IZf840AxXyKGUIppeaP1auIpDhSmjYLhMlnRliYmdKn/tniDiBTs9ANRRkC6arq3i UbRZSbmWHxaV3A==; Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201]:64439 helo=gnu.org) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <ludo@gnu.org>) id 1njky8-0000Hl-Ab; Wed, 27 Apr 2022 12:56:48 -0400 From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> Date: Wed, 27 Apr 2022 18:56:20 +0200 Message-Id: <20220427165635.8015-1-ludo@gnu.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <878rrrk1v1.fsf_-_@gnu.org> References: <878rrrk1v1.fsf_-_@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: <guix-patches.gnu.org> List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=unsubscribe> List-Archive: <https://lists.gnu.org/archive/html/guix-patches> List-Post: <mailto:guix-patches@gnu.org> List-Help: <mailto:guix-patches-request@gnu.org?subject=help> List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=subscribe> Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-getmail-retrieved-from-mailbox: Patches |
| Series |
Add "least authority" program wrapper
|
expand
|
Hi! Changes since v1: • Add ‘delete-duplicates’ call in ‘references-file’. • Work around unreliable signal delivery in Guile (note that this is not a new problem; I just happened to notice it). This part is unsatisfactory. The solution in the Shepherd is signalfd(2) on GNU/Linux, but using it requires quite a bit of infrastructure. • New #:child-is-pid1? parameter for ‘call-with-container’, set to #false by ‘least-authority-wrapper’. This is probably overkill for most cases (daemons that, unlike Jenkins, don’t run arbitrary user scripts are unlikely to leave zombies behind them), but safer. • Converted opendht service to ‘least-authority-wrapper’. I think it’s good to go. Thoughts? Thanks, Ludo’. Ludovic Courtès (15): gexp: Add 'references-file'. file-systems: Avoid load-time warnings when attempting to load (guix store). linux-container: 'call-with-container' relays SIGTERM and SIGINT. linux-container: Ensure signal-handling asyncs get a chance to run. linux-container: Add #:child-is-pid1? parameter to 'call-with-container'. Add (guix least-authority). services: dicod: Rewrite using 'least-authority-wrapper'. services: dicod: Use 'make-inetd-constructor'. services: bitlbee: Use 'make-inetd-constructor'. services: ipfs: Adjust for Shepherd 0.9. services: ipfs: Use 'least-authority-wrapper'. services: wesnothd: Grant write access to /var/run/wesnothd. services: wesnothd: Use 'least-authority-wrapper'. services: quassel: Use 'least-authority-wrapper'. services: opendht: Use 'least-authority-wrapper'. Makefile.am | 1 + gnu/build/linux-container.scm | 78 +++++++++++++++-- gnu/build/shepherd.scm | 3 +- gnu/services/base.scm | 22 ----- gnu/services/dict.scm | 61 ++++++++----- gnu/services/games.scm | 33 +++++-- gnu/services/messaging.scm | 105 ++++++++++++++-------- gnu/services/networking.scm | 158 +++++++++++++++++----------------- gnu/system/file-systems.scm | 5 +- gnu/tests/messaging.scm | 21 +---- guix/gexp.scm | 44 ++++++++++ guix/least-authority.scm | 135 +++++++++++++++++++++++++++++ tests/gexp.scm | 18 ++++ 13 files changed, 491 insertions(+), 193 deletions(-) create mode 100644 guix/least-authority.scm base-commit: 950f3e4f98add14f645dc4c9f8c512cac7b8a779