Message ID | 7072c80a192f3c136cb70da4a0662d77ce508b56.1615236603.git.leo@famulari.name |
---|---|
State | Accepted |
Headers | show |
Series | [bug#47013] gnu: Harden filesystem links. | expand |
Context | Check | Description |
---|---|---|
cbaines/submitting builds | success | |
cbaines/comparison | success | View comparision |
cbaines/git branch | success | View Git branch |
cbaines/applying patch | success | View Laminar job |
cbaines/issue | success | View issue |
There is a need to have important sysctl settings fs.protected_hardlinks and fs.protected_symlinks for all installations of Guix in the world unless explicitly stated otherwise. Currently in Linux kernel they are unset by default. It is also stated that other distributions do the same. In perfect world I would go for Solution 1 below, as it is most effectful, and clean. Solution 1: From this statement, it seems that the first resort whould be Linux kernel it self. If it would be possible to configure them with Kconfig, that would be best place. As of my brief look at linux/fs, they are not configurable, but may be I miss somthing. Any way preferred solution would be just compile kernel with protected hardlinks and symlinks set to 1. Since other distributions do the same, it could be reasonable to expose these two settings via Kconfig, and solve it there. - pros: great for the world - cons: have to do enhancement in mainline Linux Solution 2: If it is not possible to have these two settings in kernel as per Solution 1, Guix may maintain a patch to kernel that would do this. - pros: no need to enhance mainline Linux - cons: will impact users who do use Guix and compile Linux kernel them selves Solution 3: Handle in Guix configuration. Everything below related to solution 3. Currently it is set as folowing: ;; gnu/services/sysctl.scm (define-module .... #:export (.... %default-sysctl-settings) (define %default-sysctl-settings ;; Default kernel parameters enabled with sysctl. '(("fs.protected_hardlinks" . "1") ("fs.protected_symlinks" . "1"))) (define-record-type* <sysctl-configuration> sysctl-configuration make-sysctl-configuration sysctl-configuration? (sysctl sysctl-configuration-sysctl ; path of the 'sysctl' command (default (file-append procps "/sbin/sysctl"))) (settings sysctl-configuration-settings ; alist of string pairs (default %default-sysctl-settings))) ;; ends- gnu/services/sysctl.scm And sysctl-service-type it self is added to the %base-services. Since sysctl-configuration-settings function to access settings field of sysctl-configuration instance is not exported, I have to do the following in my configuration: (define nomad-gx1-os (operating-system (inherit my-base-nomad-os) ;; important line-#1 ... (services (modify-services my-base-nomad-services (sysctl-service-type config => (inherit config) (settings (append %default-sysctl-settings ;; from gnu/services/sysctl.scm '(("fs.inotify.max_user_watches" . "524288") ("fs.inotify.max_user_instances" . "16384") ("fs.inotify.max_queued_events" . "65536"))))))))) This is fine, until I extend sysctl-service-type in my-base-nomad-os. Then I have to export my-base-nomad-sysctl-settings and join them with %default-sysctl-settings and extra settings for nomad-gx1-os. While it is bearable for one or two levels of inheritance, it becomes hard to keep track for more levels and/or many hosts. If sysctl-configuration-settings would be exported as per #47323, then my configuration would become simplier: (services (modify-services my-base-nomad-services (sysctl-service-type config => (inherit config) (settings (append (sysctl-configuration-settings config) ;; now I can't do this '(("fs.inotify.max_user_watches" . "524288") ("fs.inotify.max_user_instances" . "16384") ("fs.inotify.max_queued_events" . "65536"))))))))) In this case, if Guix documentation will include sysctl-configuration-settings, then most likely people won't forget use %default-sysctl-settings, and it is still possible to override them if one desires not to use protected symlinks and hardlinks.
As per discussion with Leo on IRC #guix. There is a need to have important sysctl settings fs.protected_hardlinks and fs.protected_symlinks for all installations of Guix in the world unless explicitly stated otherwise. Currently in Linux kernel they are unset by default. It is also stated that other distributions do the same. In perfect world I would go for Solution 1 below, as it is most effectful, and clean. Solution 1: From this statement, it seems that the first resort whould be Linux kernel it self. If it would be possible to configure them with Kconfig, that would be best place. As of my brief look at linux/fs, they are not configurable, but may be I miss somthing. Any way preferred solution would be just compile kernel with protected hardlinks and symlinks set to 1. Since other distributions do the same, it could be reasonable to expose these two settings via Kconfig, and solve it there. - pros: great for the world - cons: have to do enhancement in mainline Linux Solution 2: If it is not possible to have these two settings in kernel as per Solution 1, Guix may maintain a patch to kernel that would do this. - pros: no need to enhance mainline Linux - cons: will impact users who do use Guix and compile Linux kernel them selves Solution 3: Handle in Guix configuration. Everything below related to solution 3. Currently it is set as folowing: ;; gnu/services/sysctl.scm (define-module .... #:export (.... %default-sysctl-settings) (define %default-sysctl-settings ;; Default kernel parameters enabled with sysctl. '(("fs.protected_hardlinks" . "1") ("fs.protected_symlinks" . "1"))) (define-record-type* <sysctl-configuration> sysctl-configuration make-sysctl-configuration sysctl-configuration? (sysctl sysctl-configuration-sysctl ; path of the 'sysctl' command (default (file-append procps "/sbin/sysctl"))) (settings sysctl-configuration-settings ; alist of string pairs (default %default-sysctl-settings))) ;; ends- gnu/services/sysctl.scm And sysctl-service-type it self is added to the %base-services. Since sysctl-configuration-settings function to access settings field of sysctl-configuration instance is not exported, I have to do the following in my configuration: (define nomad-gx1-os (operating-system (inherit my-base-nomad-os) ;; important line-#1 ... (services (modify-services my-base-nomad-services (sysctl-service-type config => (inherit config) (settings (append %default-sysctl-settings ;; from gnu/services/sysctl.scm '(("fs.inotify.max_user_watches" . "524288") ("fs.inotify.max_user_instances" . "16384") ("fs.inotify.max_queued_events" . "65536"))))))))) This is fine, until I extend sysctl-service-type in my-base-nomad-os. Then I have to export my-base-nomad-sysctl-settings and join them with %default-sysctl-settings and extra settings for nomad-gx1-os. While it is bearable for one or two levels of inheritance, it becomes hard to keep track for more levels and/or many hosts. If sysctl-configuration-settings would be exported as per #47323, then my configuration would become simplier: (services (modify-services my-base-nomad-services (sysctl-service-type config => (inherit config) (settings (append (sysctl-configuration-settings config) ;; now I can't do this '(("fs.inotify.max_user_watches" . "524288") ("fs.inotify.max_user_instances" . "16384") ("fs.inotify.max_queued_events" . "65536"))))))))) In this case, if Guix documentation will include sysctl-configuration-settings, then most likely people won't forget use %default-sysctl-settings, and it is still possible to override them if one desires not to use protected symlinks and hardlinks.
diff --git a/gnu/services/base.scm b/gnu/services/base.scm index f6a490f712..edd2c8e355 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -3,7 +3,7 @@ ;;; Copyright © 2015, 2016 Alex Kost <alezost@gmail.com> ;;; Copyright © 2015, 2016, 2020 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com> -;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name> +;;; Copyright © 2016, 2017, 2021 Leo Famulari <leo@famulari.name> ;;; Copyright © 2016 David Craven <david@craven.ch> ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net> ;;; Copyright © 2018 Mathieu Othacehe <m.othacehe@gmail.com> @@ -35,6 +35,7 @@ #:use-module (gnu services) #:use-module (gnu services admin) #:use-module (gnu services shepherd) + #:use-module (gnu services sysctl) #:use-module (gnu system pam) #:use-module (gnu system shadow) ; 'user-account', etc. #:use-module (gnu system uuid) @@ -2532,6 +2533,12 @@ to handle." (udev-configuration (rules (list lvm2 fuse alsa-utils crda)))) + (service sysctl-service-type + (sysctl-configuration + (settings + '(("fs.protected_hardlinks" . "1") + ("fs.protected_symlinks" . "1"))))) + (service special-files-service-type `(("/bin/sh" ,(file-append bash "/bin/sh")) ("/usr/bin/env" ,(file-append coreutils "/bin/env"))))))