diff mbox series

[bug#47013] gnu: Harden filesystem links.

Message ID YE+txs/5q6sfGsKn@jasmine.lan
State Accepted
Headers show
Series [bug#47013] gnu: Harden filesystem links. | expand

Checks

Context Check Description
cbaines/comparison success View comparision
cbaines/git branch success View Git branch
cbaines/applying patch fail View Laminar job
cbaines/issue success View issue

Commit Message

Leo Famulari March 15, 2021, 6:56 p.m. UTC 
On Fri, Mar 12, 2021 at 05:51:21PM -0500, Leo Famulari wrote:
> Does anyone know how we could make it possible for users to change these
> new defaults?

With assistance from roptat on #guix, I wrote these patches that work
well and meet all the requirements I had in mind.

Your thoughts? I'd like to push this soon.
From 38f1aaf8b44739ccfb1f824c7fb85d4dc6b5d991 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Mon, 15 Mar 2021 14:51:52 -0400
Subject: [PATCH 1/2] services: sysctl: Add a service to set default kernel
 parameters.

* gnu/services/sysctl.scm (default-sysctl-settings-service-type): New public
variable.
* doc/guix.texi (Miscellaneous Services): Document it.

Co-authored-by: Julien Lepiller <julien@lepiller.eu>
---
 doc/guix.texi           |  4 ++++
 gnu/services/sysctl.scm | 13 ++++++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

Comments

Julien Lepiller March 15, 2021, 8:23 p.m. UTC | #1 
Not tested but looks ok. Could you extend the documentation a bit? Maybe add the expected type of data for the service and an example on how to use it with modify-services? With lirks to relevant sections.

Le 15 mars 2021 14:56:06 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
>On Fri, Mar 12, 2021 at 05:51:21PM -0500, Leo Famulari wrote:
>> Does anyone know how we could make it possible for users to change
>these
>> new defaults?
>
>With assistance from roptat on #guix, I wrote these patches that work
>well and meet all the requirements I had in mind.
>
>Your thoughts? I'd like to push this soon.
Ludovic Courtès March 16, 2021, 9:42 p.m. UTC | #2 
Hi!

Leo Famulari <leo@famulari.name> skribis:

> From 38f1aaf8b44739ccfb1f824c7fb85d4dc6b5d991 Mon Sep 17 00:00:00 2001
> From: Leo Famulari <leo@famulari.name>
> Date: Mon, 15 Mar 2021 14:51:52 -0400
> Subject: [PATCH 1/2] services: sysctl: Add a service to set default kernel
>  parameters.
>
> * gnu/services/sysctl.scm (default-sysctl-settings-service-type): New public
> variable.
> * doc/guix.texi (Miscellaneous Services): Document it.
>
> Co-authored-by: Julien Lepiller <julien@lepiller.eu>

[...]

> +(define default-sysctl-settings-service-type
> +;  "Return a service that is used to set default kernel parameters for Guix
> +;  System."
> +  (service-type
> +    (name 'default-sysctl-settings)
> +    (extensions
> +      (list (service-extension sysctl-service-type
> +                               identity)))))

[...]

> +        (service default-sysctl-settings-service-type
> +          '(("fs.protected_hardlinks" . "1")
> +            ("fs.protected_symlinks" . "1")))

Why not just use ‘sysctl-service-type’ here?
‘default-sysctl-settings-service-type’ looks very much like
‘sysctl-service-type’, but I’m not sure we need a second one?

Thanks!

Ludo’.
Leo Famulari March 18, 2021, 5:39 p.m. UTC | #3 
On Mon, Mar 15, 2021 at 04:23:24PM -0400, Julien Lepiller wrote:
> Not tested but looks ok. Could you extend the documentation a bit?
> Maybe add the expected type of data for the service and an example on
> how to use it with modify-services? With lirks to relevant sections.

We ended up pushing a slightly different patch from the one you've
replied to.

We did add documentation along the lines you requested, but let me know
if you see more room for improvment:

https://git.savannah.gnu.org/cgit/guix.git/diff/doc/guix.texi?id=898489f48e436e45e86e1ba0fcdb6df5cd5a051a
Julien Lepiller March 18, 2021, 7:45 p.m. UTC | #4 
Ah sorry! Looks like my email was delayed, probably an issue on my side. Documentation looks good, thanks!

Le 18 mars 2021 13:39:20 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :
>On Mon, Mar 15, 2021 at 04:23:24PM -0400, Julien Lepiller wrote:
>> Not tested but looks ok. Could you extend the documentation a bit?
>> Maybe add the expected type of data for the service and an example on
>> how to use it with modify-services? With lirks to relevant sections.
>
>We ended up pushing a slightly different patch from the one you've
>replied to.
>
>We did add documentation along the lines you requested, but let me know
>if you see more room for improvment:
>
>https://git.savannah.gnu.org/cgit/guix.git/diff/doc/guix.texi?id=898489f48e436e45e86e1ba0fcdb6df5cd5a051a
diff mbox series

Patch

diff --git a/doc/guix.texi b/doc/guix.texi
index 3e7ffc81bc..d468c6f742 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -31419,6 +31419,10 @@  An association list specifies kernel parameters and their values.
 @end table
 @end deftp
 
+@defvr {Scheme Variable} default-sysctl-settings-service-type
+The service type used to set default kernel parameters.
+@end defvr
+
 @cindex pcscd
 @subsubheading PC/SC Smart Card Daemon Service
 
diff --git a/gnu/services/sysctl.scm b/gnu/services/sysctl.scm
index eb7a61b2a9..83704084c3 100644
--- a/gnu/services/sysctl.scm
+++ b/gnu/services/sysctl.scm
@@ -1,5 +1,6 @@ 
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2017 Sou Bunnbu <iyzsong@member.fsf.org>
+;;; Copyright © 2021 Leo Famulari <leo@famulari.name>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -25,7 +26,8 @@ 
   #:use-module (srfi srfi-1)
   #:use-module (ice-9 match)
   #:export (sysctl-configuration
-            sysctl-service-type))
+            sysctl-service-type
+            default-sysctl-settings-service-type))
 
 
 ;;;
@@ -74,3 +76,12 @@ 
               (settings (append (sysctl-configuration-settings config)
                                 settings)))))
    (default-value (sysctl-configuration))))
+
+(define default-sysctl-settings-service-type
+;  "Return a service that is used to set default kernel parameters for Guix
+;  System."
+  (service-type
+    (name 'default-sysctl-settings)
+    (extensions
+      (list (service-extension sysctl-service-type
+                               identity)))))
-- 
2.30.2


From 3040f0bb33439f041eed85e8c8e80bb52d6277cc Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Mon, 15 Mar 2021 14:31:48 -0400
Subject: [PATCH 2/2] system: Harden filesystem links.

These sysctl options are enabled on most GNU/Linux distros, including
Debian, Fedora, NixOS, and OpenSUSE.

I've tested this options on Guix System for several weeks, and they
don't appear to break anything. Plus, we know that Guix works on other
distros that enable these restrictions.

References:

https://sysctl-explorer.net/fs/protected_hardlinks/
https://sysctl-explorer.net/fs/protected_symlinks/

* gnu/services/base.scm (%base-services): Add
default-sysctl-settings-service-type.
---
 gnu/services/base.scm | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index f6a490f712..646ad800f4 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -3,7 +3,7 @@ 
 ;;; Copyright © 2015, 2016 Alex Kost <alezost@gmail.com>
 ;;; Copyright © 2015, 2016, 2020 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
-;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2016, 2017, 2021 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2016 David Craven <david@craven.ch>
 ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2018 Mathieu Othacehe <m.othacehe@gmail.com>
@@ -35,6 +35,7 @@ 
   #:use-module (gnu services)
   #:use-module (gnu services admin)
   #:use-module (gnu services shepherd)
+  #:use-module (gnu services sysctl)
   #:use-module (gnu system pam)
   #:use-module (gnu system shadow)                ; 'user-account', etc.
   #:use-module (gnu system uuid)
@@ -2532,6 +2533,10 @@  to handle."
                  (udev-configuration
                    (rules (list lvm2 fuse alsa-utils crda))))
 
+        (service default-sysctl-settings-service-type
+          '(("fs.protected_hardlinks" . "1")
+            ("fs.protected_symlinks" . "1")))
+
         (service special-files-service-type
                  `(("/bin/sh" ,(file-append bash "/bin/sh"))
                    ("/usr/bin/env" ,(file-append coreutils "/bin/env"))))))