From patchwork Fri Mar 12 22:05:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leo Famulari X-Patchwork-Id: 27681 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id A5ED227BC51; Fri, 12 Mar 2021 22:07:09 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS, T_DKIM_INVALID,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 30DA027BC50 for ; Fri, 12 Mar 2021 22:07:09 +0000 (GMT) Received: from localhost ([::1]:49584 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lKpw4-000292-7z for patchwork@mira.cbaines.net; Fri, 12 Mar 2021 17:07:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:47510) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lKpvy-00028U-C3 for guix-patches@gnu.org; Fri, 12 Mar 2021 17:07:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:47050) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lKpvy-0003OL-4g for guix-patches@gnu.org; Fri, 12 Mar 2021 17:07:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lKpvx-0006BL-VB for guix-patches@gnu.org; Fri, 12 Mar 2021 17:07:01 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#47013] [PATCH] gnu: Harden filesystem links. References: <7072c80a192f3c136cb70da4a0662d77ce508b56.1615236603.git.leo@famulari.name> In-Reply-To: <7072c80a192f3c136cb70da4a0662d77ce508b56.1615236603.git.leo@famulari.name> Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 12 Mar 2021 22:07:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47013 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 47013@debbugs.gnu.org Received: via spool by 47013-submit@debbugs.gnu.org id=B47013.161558676323694 (code B ref 47013); Fri, 12 Mar 2021 22:07:01 +0000 Received: (at 47013) by debbugs.gnu.org; 12 Mar 2021 22:06:03 +0000 Received: from localhost ([127.0.0.1]:58596 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lKpv1-0006A6-FW for submit@debbugs.gnu.org; Fri, 12 Mar 2021 17:06:03 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:45961) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lKpuy-00069Z-3u for 47013@debbugs.gnu.org; Fri, 12 Mar 2021 17:06:02 -0500 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 315E95C0150; Fri, 12 Mar 2021 17:05:54 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Fri, 12 Mar 2021 17:05:54 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:mime-version:content-type; s= mesmtp; bh=SN6XEELSEAFHL3hUKWwJcj/Jm6bgl++B5Rabb0trLmw=; b=J9WfB ycYNZbXfEU/kgfCOe1S/QKLYeIXiEis1A3If/ZU7DKMKEGWWCTNunpozyigXFZPH 8l2XXB2IkgRtrbzNGA1/4/OIUutc8gARGZQsrmmW1C1+/NSvTx2G//bTY9w+VNFC CuwV6ylmMJ3w5wyAVTiBsd/Yic/jSvBddPPKkA= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=SN6XEELSEAFHL3hUKWwJcj/Jm6bgl ++B5Rabb0trLmw=; b=iS1Cv9zZvLvi8ovY99igHspbnP2DcN7Xunp3o5ad4mUZE erUsB1uCep5EOzQbddTgtDAcS00eKuo1b1R4Hb8luyfTcS8EaGbhnZLM5BbXT4aa kbb07j1YR2homUtiCv5KI7oCyzee7s8vU9UJsRBw6OVMscwGVK3N++kGT7C8Y3c6 iLURUOkswbfOLrgq8PcdbSpPSkhmxd9kTgv2Xu8M6IeZibEFS2AVIFHIZ+R0xAPU ApixfkqDH7K/nKal2O2R6ePyOFO+F8TIqMUT7ITLeZgVIuFG8+ZfYj7XzYtXTDGW 9AW1Ztv+7imZs7VM7PBbhgRShzQJ8xpdw2htfAmNw== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledruddvvddgudehiecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfggtggusehgtderre dttddvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr ihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpeejieeutdffleegudehgefhhfduueeule evveeggeehveffkeeihfevvdfhkeefvdenucfkphepuddttddruddurdduieelrdduudek necuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvoh esfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 6C0D71080054 for <47013@debbugs.gnu.org>; Fri, 12 Mar 2021 17:05:53 -0500 (EST) Date: Fri, 12 Mar 2021 17:05:51 -0500 From: Leo Famulari Message-ID: MIME-Version: 1.0 Content-Disposition: inline X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches Here is an updated patch that can be composed with other sysctl-service-types that the user may have added to config.scm. From 1e3bd831899a4ec9dfa7199a381421adbfe0dcf7 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 12 Mar 2021 17:03:26 -0500 Subject: [PATCH] system: Harden filesystem links. These sysctl options are enabled on most GNU/Linux distros, including Debian, Fedora, NixOS, and OpenSUSE. I've tested this patch on Guix System for several weeks, and it doesn't appear to break anything. Plus, we know that Guix works on other distros that enable these restrictions. References: https://sysctl-explorer.net/fs/protected_hardlinks/ https://sysctl-explorer.net/fs/protected_symlinks/ * gnu/services/base.scm (default-sysctl-settings): New variable. (%base-services): Add default-sysctl-settings. --- gnu/services/base.scm | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index f6a490f712..64aac36401 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -35,6 +35,7 @@ #:use-module (gnu services) #:use-module (gnu services admin) #:use-module (gnu services shepherd) + #:use-module (gnu services sysctl) #:use-module (gnu system pam) #:use-module (gnu system shadow) ; 'user-account', etc. #:use-module (gnu system uuid) @@ -2484,6 +2485,11 @@ to handle." (requirement requirement) (name-servers name-servers))))) +(define (default-sysctl-settings default-settings) + (simple-service 'base-sysctl-settings + sysctl-service-type + default-settings)) + (define %base-services ;; Convenience variable holding the basic services. @@ -2532,6 +2538,10 @@ to handle." (udev-configuration (rules (list lvm2 fuse alsa-utils crda)))) + (default-sysctl-settings + '(("fs.protected_hardlinks" . "1") + ("fs.protected_symlinks" . "1"))) + (service special-files-service-type `(("/bin/sh" ,(file-append bash "/bin/sh")) ("/usr/bin/env" ,(file-append coreutils "/bin/env"))))))