From patchwork Thu May 1 08:26:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rutherther X-Patchwork-Id: 2976 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 3A89727BC4B; Thu, 1 May 2025 09:28:31 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FROM_SUSPICIOUS_NTLD,MAILING_LIST_MULTI,PDS_OTHER_BAD_TLD, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL, RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 774AF27BC49 for ; Thu, 1 May 2025 09:28:30 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uAPH3-0005uF-Na; Thu, 01 May 2025 04:28:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uAPH2-0005tq-7D for guix-patches@gnu.org; Thu, 01 May 2025 04:28:04 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1uAPH1-0002k0-Q8 for guix-patches@gnu.org; Thu, 01 May 2025 04:28:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:Subject; bh=X7gBTmrBBklpfubx/Vqe9+DceiQHMygZtHDwfUGSkv0=; b=bzysOnRh65R94Ltp2HcmeTW2X+T6e+aE4wb/rDeupD6smhF+HbAc4Xkoc3+2b+YT3IBqJGAc9/Kg8qKtMfxbfb+18KWmJEqWY7Sb1Yp/t82zcvWPKbzJzJ/htdm6MQTh2FKpYQFbM4oE17rmv99Q3M9KDQwG58c8ifSnW2rqXoNi1DauqdlLDzvrPYPHIaij3U5cHVQ1dTonZkTQOhDMj5SvOA02lh+O5BawMMZRbS5a5TWUcabrxqT8hcvRm2vT6k58yhuBCjeLjOGq/07C/jhvbHNg2hOsknGaDbT2Apr583344MiLljQFJSTBce34KMfTHZhjPrRHq77Ws+iHIA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1uAPGz-0005pA-W2; Thu, 01 May 2025 04:28:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#78179] [PATCH 0/4] Add wireshark-service-type with privileged wrapper Resent-From: Rutherther Original-Sender: "Debbugs-submit" Resent-CC: GNUtoo@cyberdimension.org, maxim.cournoyer@gmail.com, guix-patches@gnu.org Resent-Date: Thu, 01 May 2025 08:28:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 78179 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 78179@debbugs.gnu.org Cc: Rutherther , Denis 'GNUtoo' Carikli , Maxim Cournoyer X-Debbugs-Original-To: guix-patches@gnu.org X-Debbugs-Original-Xcc: Denis 'GNUtoo' Carikli , Maxim Cournoyer Received: via spool by submit@debbugs.gnu.org id=B.174608804422320 (code B ref -1); Thu, 01 May 2025 08:28:01 +0000 Received: (at submit) by debbugs.gnu.org; 1 May 2025 08:27:24 +0000 Received: from localhost ([127.0.0.1]:48365 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uAPGN-0005nu-L8 for submit@debbugs.gnu.org; Thu, 01 May 2025 04:27:24 -0400 Received: from lists.gnu.org ([2001:470:142::17]:39808) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uAPGK-0005nW-OZ for submit@debbugs.gnu.org; Thu, 01 May 2025 04:27:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uAPGE-0005m1-C6 for guix-patches@gnu.org; Thu, 01 May 2025 04:27:15 -0400 Received: from ditigal.xyz ([2a01:4f8:1c1b:6a1c::] helo=mail.ditigal.xyz) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1uAPGC-0001kB-Fc for guix-patches@gnu.org; Thu, 01 May 2025 04:27:14 -0400 Received: by cerebrum (OpenSMTPD) with ESMTPSA id 7f1a4ec3 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Thu, 1 May 2025 08:27:09 +0000 (UTC) Date: Thu, 1 May 2025 10:26:59 +0200 Message-ID: X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ditigal.xyz; i=@ditigal.xyz; q=dns/txt; s=20240917; t=1746088029; h=from : to : cc : subject : date : message-id : mime-version : content-transfer-encoding : from; bh=m1VWQMXmQEXbweL+3Rz0fBl5IVqvug+0sijcEySdARM=; b=G6/hyoscK4Bsu/s7+em9y1wuuLkgt1Qx70HB9q/0jSndMVTUGryjJbxbYdIWhxHdnWZtx 9CqwiylVr5hCkSDAw8B2UAD8OvK2rjQQzSe1/tL3PJ4y5G87mmLw1+8YZH8vWsa3064FejU gTFxmMi8IDoBZsXVsmjR/qzihy7MzhM= Received-SPF: pass client-ip=2a01:4f8:1c1b:6a1c::; envelope-from=rutherther@ditigal.xyz; helo=mail.ditigal.xyz X-Spam_score_int: 4 X-Spam_score: 0.4 X-Spam_bar: / X-Spam_report: (0.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_SUSPICIOUS_NTLD=0.498, FROM_SUSPICIOUS_NTLD_FP=1.997, PDS_OTHER_BAD_TLD=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Rutherther X-ACL-Warn: , Rutherther via Guix-patches X-Patchwork-Original-From: Rutherther via Guix-patches via From: Rutherther Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Hi, recently I discucced on devel mailing list on the topic of a wireshark service type. I would like to thank Denis 'GNUtoo' Carikli who helped me a lot in coming to this idea. # Motivation The issue with wireshark is that it refers to dumpcap from the bin folder of the output. That is good usually, but not so with Wireshark as dumpcap needs to run with capabilities, and the store cannot have binaries with capabilities. In addition to that, dumpcap was wrapped with gtk wrapping phase, unnecessarily, this complicates the matter a bit, since interpreted executables cannot get setuid or capabilities. I think that is still something to look at in the future - wrap-program doesn't work for setuid/capabilities, maybe it would be good to introduce wrap-program-binary that would make a binary instead for the wrapping, but it's not topic of this patch series. # Solution The solution works like this: 1. #$output/bin/dumpcap is unwrapped (mv #$output/bin/.dumpcap-real #$output/bin/dumpcap) 2. #$output/bin/dumpcap is replaced with a shell script that looks if /run/privileged/bindumpcap exists, if it does, it is executed. If it doesn't, the original dumpcap binary is executed. Additionally GUIX_SKIP_PRIVILEGED=1 will skip the check and start the original binary 3. The original binary is put to #$output/privileged/dumpcap (we can change the folder, but name of the binary is important here for privileged-program - it cannot change name) 4. The service will make privileged program referring to #$output/privileged/dumpcap # Implementation I've decided to introduce a new module, (guix build privileged), this module exposes just one function: wrap-privileged. This function accepts: - output - output folder of the package (/gnu/store/...-dumpcap-ver) - original - path to the original binary under the output (bin/dumpcap) - target-name - name that will end up in #$output/privileged - #:unwrap - whether to try unwrapping the binary. This has to be #t currently to work properly (#t) only binary wrappers would allow for it to be #f. - #:target-folder - what folder under output to put the target to (privileged) - #:privileged-directory - where are privileged programs. I've exposed %privileged-program-directory from (gnu build activation) (/run/privileged/bin) This function is then used in a new phase of wireshark wrap-privileged, that is happening after qt-wrap (so that the binary can be unwrapped). Additionally I added bash to inputs of wireshark, so that the shebang is patched (I've decided to let this be handled by the patch-shebang phase rather than passing path to bash to the wrap-privileged function which would add complexity, unnecessarily imho) ``` (add-after 'qt-wrap 'wrap-dumpcap (lambda _ (wrap-privileged #$output "bin/dumpcap" "dumpcap"))) ``` Then I added the service, referring to the wireshark/privileged/dumpcap. # Future After this feature is introduced into the Guix code, other packages could be changed to it. I've checked the code and there seem to be a few packages that already patch the source to refer to /run/privileged. - singularity, spice-gtk: refer to their own binary. - spacefm, udevil, zabbix-agentd, xsecurelock: refer to a binary of different package. The second category is going to have to be thought through further, I am not sure what the best approach is going to be. If to make shell scripts in the packages or consider adding new packages that would have such shell scripts in their bin folder. # Considerations - Maybe the wrapped script should be a guile script instead of a shell one? - Wrapped executables cannot work with this as was discussed in intro. - I really had trouble coming up with the wrap-privileged function interface, maybe the parameters could be made more intuitive. - Should this be added to the manual - During testing I found out that wireshark binary doesn't pass GUIX_SKIP_PRIVILEGED env var through to dumpcap wrapper :( Feedback welcome, Cheers! Rutherther Rutherther (4): gnu: %privileged-program-directory: Export variable. guix: Add (guix build privileged) module. gnu: wireshark: Wrap dumpcap with wrap-privileged. services: Add wireshark-service-type. gnu/build/activation.scm | 4 +++- gnu/packages/networking.scm | 17 +++++++++++-- gnu/services/networking.scm | 35 ++++++++++++++++++++++++++- guix/build/privileged.scm | 48 +++++++++++++++++++++++++++++++++++++ 4 files changed, 100 insertions(+), 4 deletions(-) create mode 100644 guix/build/privileged.scm base-commit: d505cb960fd1e670be9a66d9fdbad94bc49e891d --- 2.49.0