From patchwork Thu May 1 08:29:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rutherther X-Patchwork-Id: 42199 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id BB2D927BC4B; Thu, 1 May 2025 09:30:11 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FROM_SUSPICIOUS_NTLD,MAILING_LIST_MULTI,PDS_OTHER_BAD_TLD, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL, RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 1EF2F27BC49 for ; Thu, 1 May 2025 09:30:11 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uAPJ2-0006tP-WE; Thu, 01 May 2025 04:30:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uAPIy-0006r5-0n for guix-patches@gnu.org; Thu, 01 May 2025 04:30:04 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1uAPIx-0004sb-Jc for guix-patches@gnu.org; Thu, 01 May 2025 04:30:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=d07lv2T8aISCnnIxWm5Xr7rhEf5Xx/1a1Ncz+CITWTg=; b=IiGU2BelGXvObrmptYNBZfKBI7YSc8WtB3MN+nOna5npKxhJXRgXD4rPOxrD8EmsOUT4oXaZZZkywQT/r0CBRsUkHHhWHBsun15okcki74UnuvlHKR9rTJ+SY61dimZy/NzYW8EhXmr6b1QRePjpK4wDLStbThnsu/Zf5hj5WPFp1S2tQLrKl1VDNcuiQRy1aUUduDMe4l3njAZkBcYgq294eizY9k86QvWQ89cLvvlP8DqrPg9lvjYJ41a0QgNLt+jVDgv6HLzKAkiy36fdDXexU7EpCRjfX3009HZoGNc7X/RJUJfLBJ4k7cXNrhNE2alcpmxiTMs1BAQrLwJZMQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1uAPIx-0005x4-BQ for guix-patches@gnu.org; Thu, 01 May 2025 04:30:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#78179] [PATCH 2/4] guix: Add (guix build privileged) module. Resent-From: Rutherther Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 01 May 2025 08:30:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 78179 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 78179@debbugs.gnu.org Cc: Rutherther Received: via spool by 78179-submit@debbugs.gnu.org id=B78179.174608820022740 (code B ref 78179); Thu, 01 May 2025 08:30:03 +0000 Received: (at 78179) by debbugs.gnu.org; 1 May 2025 08:30:00 +0000 Received: from localhost ([127.0.0.1]:48391 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uAPIt-0005uh-Nn for submit@debbugs.gnu.org; Thu, 01 May 2025 04:30:00 -0400 Received: from ditigal.xyz ([2a01:4f8:1c1b:6a1c::]:59382 helo=mail.ditigal.xyz) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uAPIp-0005tq-E5 for 78179@debbugs.gnu.org; Thu, 01 May 2025 04:29:56 -0400 Received: by cerebrum (OpenSMTPD) with ESMTPSA id 07030669 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Thu, 1 May 2025 08:29:49 +0000 (UTC) Date: Thu, 1 May 2025 10:29:35 +0200 Message-ID: <3ae3ac7b699eaacde6091d05ece786a536872066.1746086472.git.rutherther@ditigal.xyz> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ditigal.xyz; i=@ditigal.xyz; q=dns/txt; s=20240917; t=1746088189; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : from; bh=zFQACv1NOIre/4ZdTlLE37rolkB86rBtIF/BgdknECc=; b=CA8E/iwGz4oDBCqEOwkvsTd/g0DD1LJf4I0mAjF/ygL53+BW2AgkBDu1QzVYA9nppOgCk Dvf1rsUtjXomcPZmuS1AnbuxG82F6Xd+RG4BiK1D+EnyToE7tTUHysHpf5+93KuMzySfPoG NIiSWjeAU4CCp8/iNE6hnOqQHRAH7qc= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Rutherther X-ACL-Warn: , Rutherther via Guix-patches X-Patchwork-Original-From: Rutherther via Guix-patches via From: Rutherther Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Wireshark refers to #$output/bin/dumpcap to start dumpcap. This means it's problematic to make a service for it that would add dumpcap to privileged programs. This procedure introduces a possibility to replace a file in the output with a script that will try to execute binary in /run/privileged/bin first, and fallback to the original one from store. This ensures the package works on both Guix System and foreign distros. The downside is that /run/privileged/bin will be executed every time, so it would be impossible to test different versions of the packages. To overcome that, GUIX_SKIP_PRIVILEGED variable is introduced, and if set, the original dumpcap will be used. * guix/build/privileged.scm (unwrap): Removes wrapping by wrap-program * guix/build/privileged.scm (wrap-privileged): Make a shell script for a program that needs privileges Change-Id: Ieacd7f2d80c5b6ecba74d9309cb2c5a6d556aa8e --- guix/build/privileged.scm | 48 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 guix/build/privileged.scm diff --git a/guix/build/privileged.scm b/guix/build/privileged.scm new file mode 100644 index 0000000000..6a456e02c0 --- /dev/null +++ b/guix/build/privileged.scm @@ -0,0 +1,48 @@ +(define-module (guix build privileged) + #:use-module (gnu build activation) + #:use-module (guix build utils) + #:use-module (ice-9 format) + #:export (wrap-privileged)) + +;;; Move .xxx-real to xxx, if it exists. +(define (unwrap binary) + (let* ((name (basename binary)) + (folder (dirname binary)) + (real (string-append folder "/." name "-real"))) + (when (file-exists? real) + (format #t "Unwrapping ~a~%" binary) + (rename-file real binary)))) + +;;; +;;; 1. Move {output}/{original} to {output}/{target-folder}/{target-name}. +;;; 2. Make a script at original-binary that executes /run/privileged/bin/{target-name} +;;; if it exists, if not, output/{target-folder}/{target-name} is executed. +;;; +(define* (wrap-privileged output + original + target-name + #:key + (unwrap? #t) + (target-folder "privileged") + (privileged-directory %privileged-program-directory)) + "Make a shell wrapper for binary that should be ran as privileged. + +The wrapper script will try executing binary in /run/privileged/bin, if it exists, +and if not, it will fall back to the original." + (let ((original-file (string-append output "/" original)) + (target-file (string-append output "/" target-folder "/" target-name)) + (privileged-file (string-append privileged-directory "/" target-name))) + (when unwrap? + (unwrap original-file)) + (mkdir-p (dirname target-file)) + (rename-file original-file target-file) + (call-with-output-file original-file + (lambda (port) + (format port "#!/usr/bin/env bash +if [[ -z \"$GUIX_SKIP_PRIVILEGED\" && -f \"~a\" ]]; then + exec -a \"$0\" \"~a\" \"$@\" +fi + +exec -a \"$0\" \"~a\" \"$@\" +" privileged-file privileged-file target-file) + (chmod port #o555)))))