From patchwork Tue Apr  8 12:22:06 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
X-Patchwork-Id: 2910
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id 0C33F27BC4B; Tue,  8 Apr 2025 13:23:18 +0100 (BST)
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,
	RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE,
	SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no
	version=3.4.6
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id 375F527BC49
	for <patchwork@mira.cbaines.net>; Tue,  8 Apr 2025 13:23:17 +0100 (BST)
Received: from localhost ([::1] helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces@gnu.org>)
	id 1u27yr-0007Hs-Ok; Tue, 08 Apr 2025 08:23:06 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1u27yp-0007Gu-TK
 for guix-patches@gnu.org; Tue, 08 Apr 2025 08:23:04 -0400
Received: from debbugs.gnu.org ([2001:470:142:5::43])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1u27yp-0006wJ-GP
 for guix-patches@gnu.org; Tue, 08 Apr 2025 08:23:03 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=debbugs.gnu.org; s=debbugs-gnu-org;
 h=MIME-Version:Date:From:To:Subject;
 bh=bsWaSAXQSPSN7Qhswi5+fWIgEqGqmgkUmKnKtPMR4Sg=;
 b=WfabLM/Te/Ie0TJg+f7bV0mCn1g2Kku7l4zCPjZcJvMadQggHTTKNWhR+NH7KEW51mtYnaTegpudG/EkkezoqbcOpjIaB3C3rFwcoODuqjlkcCegrGHGTb4XIUwCQUmdXJPtiDAKt7OOq6tYmfMRBGL3PhIRGCj+9TXlfiDHDpjMNIQ0KKohgwLTsORHPCu9Qq1LLXk7QSYFhxrTQjANTDo5Z+iuWHJHr1AuqGD8LENoXAOvvACGvkn1rUVsQrfKIgVPyM/ubmxEkYlRyI4m+KPKZ77vxRPlImZYOYwt3Zd9A6RvZ1WvABHnx2dLKoPi70F2/6SGj+R8u/RbCVfGhg==;
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1u27yo-0000uh-H8
 for guix-patches@gnu.org; Tue, 08 Apr 2025 08:23:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#77638] [PATCH 0/8] Harden 'call-with-container'
Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Tue, 08 Apr 2025 12:23:02 +0000
Resent-Message-ID: <handler.77638.B.17441149503311@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 77638
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 77638@debbugs.gnu.org
Cc: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>
X-Debbugs-Original-To: guix-patches@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.17441149503311
 (code B ref -1); Tue, 08 Apr 2025 12:23:02 +0000
Received: (at submit) by debbugs.gnu.org; 8 Apr 2025 12:22:30 +0000
Received: from localhost ([127.0.0.1]:59655 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1u27yI-0000rH-6u
 for submit@debbugs.gnu.org; Tue, 08 Apr 2025 08:22:30 -0400
Received: from lists.gnu.org ([2001:470:142::17]:57122)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <ludo@gnu.org>) id 1u27yF-0000qb-Cb
 for submit@debbugs.gnu.org; Tue, 08 Apr 2025 08:22:28 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>) id 1u27y8-0006W5-55
 for guix-patches@gnu.org; Tue, 08 Apr 2025 08:22:20 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@gnu.org>)
 id 1u27y7-0006lN-OR; Tue, 08 Apr 2025 08:22:19 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:Date:Subject:To:From:in-reply-to:
 references; bh=bsWaSAXQSPSN7Qhswi5+fWIgEqGqmgkUmKnKtPMR4Sg=; b=AjYAduXtZVllrM
 kIp/RKwQGN1lWLneQQSz2wUTO8gkfugFP/xvCD3fu+tNRaO3WI2D0eFSEkEw3S9OcDLLggtPp0yEU
 JAtSPRIa+VX062SV++2O/pS6Z3z756lH1/5HCew8o7+s0oJCJ7fSMVGHUuVGUXIU8x88/4wXK6Cl2
 2Y8JktnPcHchT+6K9qS3aD1oQSaHtgox3OwQkJUVdFf6NiD4DoFkSO2v/zKCYiDCKefTQ0R/bq2Tx
 7PswAuqlYiX7gffSyVlI/uJ8ThjuqjM7vn4/QHm2XWxKrmje7QAFVNMpY33d3pieAbla0Zba8jy7e
 0MPy7PVXtynwW8/6CBzA==;
From: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>
Date: Tue,  8 Apr 2025 14:22:06 +0200
Message-ID: <cover.1744114408.git.ludo@gnu.org>
X-Mailer: git-send-email 2.49.0
MIME-Version: 1.0
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
X-getmail-retrieved-from-mailbox: Patches

Hello Guix,

This patch series hardens ‘call-with-container’, largely inspired by the
discussions had while working on the unprivileged daemon.  This depends
on <https://issues.guix.gnu.org/77288> for ‘unshare’.

My main test was:

  make check TESTS="tests/containers.scm tests/guix-home.sh tests/guix-environment-container.sh"

… which catches most issues.

I also manually tested ‘least-authority-wrapper’.  I did not test
‘guix system container’.

Note the incompatible change in ‘guix shell -C’, where the root is now
read-only by default (it was indirectly documented as being writable
before).  I think it’s an acceptable change, but we can discuss.  :-)

Thoughts?

Ludo’.

Ludovic Courtès (8):
  linux-container: Add #:mounts to ‘eval/container’.
  guix home: ‘container’ explicitly mounts $HOME and /run/user/1000.
  linux-container: Support having a read-only root file system.
  guix home: ‘container’ provides a read-only root file system.
  environment: Add ‘--writable-root’ and default to read-only root.
  syscalls: Add ‘get-user-ns’.
  linux-container: Set up “lo” and generate /etc/hosts by default.
  linux-container: Lock mounts by default.

 doc/guix.texi                       |   7 +-
 gnu/build/linux-container.scm       | 172 +++++++++++++++++++++-------
 gnu/system/linux-container.scm      |  31 +++--
 guix/build/syscalls.scm             |  14 +++
 guix/scripts/environment.scm        | 100 ++++++++--------
 guix/scripts/home.scm               |  92 +++++++--------
 tests/containers.scm                |  59 +++++++++-
 tests/guix-environment-container.sh |  11 +-
 tests/guix-home.sh                  |   3 +-
 9 files changed, 336 insertions(+), 153 deletions(-)


base-commit: b94cf86a89ef0a6bf7ec2c8e52f64c5107888f55