| Message ID | cover.1744114408.git.ludo@gnu.org |
|---|---|
| Headers |
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org> X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 0C33F27BC4B; Tue, 8 Apr 2025 13:23:18 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 375F527BC49 for <patchwork@mira.cbaines.net>; Tue, 8 Apr 2025 13:23:17 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from <guix-patches-bounces@gnu.org>) id 1u27yr-0007Hs-Ok; Tue, 08 Apr 2025 08:23:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1u27yp-0007Gu-TK for guix-patches@gnu.org; Tue, 08 Apr 2025 08:23:04 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1u27yp-0006wJ-GP for guix-patches@gnu.org; Tue, 08 Apr 2025 08:23:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:Subject; bh=bsWaSAXQSPSN7Qhswi5+fWIgEqGqmgkUmKnKtPMR4Sg=; b=WfabLM/Te/Ie0TJg+f7bV0mCn1g2Kku7l4zCPjZcJvMadQggHTTKNWhR+NH7KEW51mtYnaTegpudG/EkkezoqbcOpjIaB3C3rFwcoODuqjlkcCegrGHGTb4XIUwCQUmdXJPtiDAKt7OOq6tYmfMRBGL3PhIRGCj+9TXlfiDHDpjMNIQ0KKohgwLTsORHPCu9Qq1LLXk7QSYFhxrTQjANTDo5Z+iuWHJHr1AuqGD8LENoXAOvvACGvkn1rUVsQrfKIgVPyM/ubmxEkYlRyI4m+KPKZ77vxRPlImZYOYwt3Zd9A6RvZ1WvABHnx2dLKoPi70F2/6SGj+R8u/RbCVfGhg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1u27yo-0000uh-H8 for guix-patches@gnu.org; Tue, 08 Apr 2025 08:23:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77638] [PATCH 0/8] Harden 'call-with-container' Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org> Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 08 Apr 2025 12:23:02 +0000 Resent-Message-ID: <handler.77638.B.17441149503311@debbugs.gnu.org> Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 77638 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77638@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.17441149503311 (code B ref -1); Tue, 08 Apr 2025 12:23:02 +0000 Received: (at submit) by debbugs.gnu.org; 8 Apr 2025 12:22:30 +0000 Received: from localhost ([127.0.0.1]:59655 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>) id 1u27yI-0000rH-6u for submit@debbugs.gnu.org; Tue, 08 Apr 2025 08:22:30 -0400 Received: from lists.gnu.org ([2001:470:142::17]:57122) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from <ludo@gnu.org>) id 1u27yF-0000qb-Cb for submit@debbugs.gnu.org; Tue, 08 Apr 2025 08:22:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@gnu.org>) id 1u27y8-0006W5-55 for guix-patches@gnu.org; Tue, 08 Apr 2025 08:22:20 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <ludo@gnu.org>) id 1u27y7-0006lN-OR; Tue, 08 Apr 2025 08:22:19 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to: references; bh=bsWaSAXQSPSN7Qhswi5+fWIgEqGqmgkUmKnKtPMR4Sg=; b=AjYAduXtZVllrM kIp/RKwQGN1lWLneQQSz2wUTO8gkfugFP/xvCD3fu+tNRaO3WI2D0eFSEkEw3S9OcDLLggtPp0yEU JAtSPRIa+VX062SV++2O/pS6Z3z756lH1/5HCew8o7+s0oJCJ7fSMVGHUuVGUXIU8x88/4wXK6Cl2 2Y8JktnPcHchT+6K9qS3aD1oQSaHtgox3OwQkJUVdFf6NiD4DoFkSO2v/zKCYiDCKefTQ0R/bq2Tx 7PswAuqlYiX7gffSyVlI/uJ8ThjuqjM7vn4/QHm2XWxKrmje7QAFVNMpY33d3pieAbla0Zba8jy7e 0MPy7PVXtynwW8/6CBzA==; From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org> Date: Tue, 8 Apr 2025 14:22:06 +0200 Message-ID: <cover.1744114408.git.ludo@gnu.org> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: <guix-patches.gnu.org> List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=unsubscribe> List-Archive: <https://lists.gnu.org/archive/html/guix-patches> List-Post: <mailto:guix-patches@gnu.org> List-Help: <mailto:guix-patches-request@gnu.org?subject=help> List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>, <mailto:guix-patches-request@gnu.org?subject=subscribe> Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches |
| Series |
Harden 'call-with-container'
|
|
Message
Ludovic Courtès
April 8, 2025, 12:22 p.m. UTC
Hello Guix, This patch series hardens ‘call-with-container’, largely inspired by the discussions had while working on the unprivileged daemon. This depends on <https://issues.guix.gnu.org/77288> for ‘unshare’. My main test was: make check TESTS="tests/containers.scm tests/guix-home.sh tests/guix-environment-container.sh" … which catches most issues. I also manually tested ‘least-authority-wrapper’. I did not test ‘guix system container’. Note the incompatible change in ‘guix shell -C’, where the root is now read-only by default (it was indirectly documented as being writable before). I think it’s an acceptable change, but we can discuss. :-) Thoughts? Ludo’. Ludovic Courtès (8): linux-container: Add #:mounts to ‘eval/container’. guix home: ‘container’ explicitly mounts $HOME and /run/user/1000. linux-container: Support having a read-only root file system. guix home: ‘container’ provides a read-only root file system. environment: Add ‘--writable-root’ and default to read-only root. syscalls: Add ‘get-user-ns’. linux-container: Set up “lo” and generate /etc/hosts by default. linux-container: Lock mounts by default. doc/guix.texi | 7 +- gnu/build/linux-container.scm | 172 +++++++++++++++++++++------- gnu/system/linux-container.scm | 31 +++-- guix/build/syscalls.scm | 14 +++ guix/scripts/environment.scm | 100 ++++++++-------- guix/scripts/home.scm | 92 +++++++-------- tests/containers.scm | 59 +++++++++- tests/guix-environment-container.sh | 11 +- tests/guix-home.sh | 3 +- 9 files changed, 336 insertions(+), 153 deletions(-) base-commit: b94cf86a89ef0a6bf7ec2c8e52f64c5107888f55