From patchwork Tue Apr 8 12:24:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Ludovic_Court=C3=A8s?= X-Patchwork-Id: 41449 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id E324B27BC4B; Tue, 8 Apr 2025 13:28:18 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2, RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL,RCVD_IN_VALIDITY_SAFE, SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 4EB0527BC49 for ; Tue, 8 Apr 2025 13:28:18 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u283a-0008Bd-RF; Tue, 08 Apr 2025 08:28:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u282q-00081Q-TG for guix-patches@gnu.org; Tue, 08 Apr 2025 08:27:19 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u282n-00084k-OZ; Tue, 08 Apr 2025 08:27:11 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=mmJw0Zh5+znXI+puzQtxhevBc4Izpw+pm8wBq8HRPNw=; b=OTI64BQQzhmfDpoEqCPkGb7gNkWMiVe8WZtc2fqtv7bY+hlxmgA3JbNeZZT7jNCqImXiLICTAh0o+p9OhWWdTJNIawiyIlyEyETkuEmGPGJyTEK5rZfUtb9FNzYCCA2863Y3Zp0R+aEQBgQ29OdIz3aGO26+ISLnNkz1I8Pz6H9cOK+oPHozLYEJvmabWRzR5BfAqjyfoEj0SUFeeduoA5+ctyxVMWa6+Fziq695zfBKnWVdZfMIIFrzBBbaDZHezG1huepRoI8D9CuH/XTVpIQ6lbEAFDAcC3HW+5Bp6dAqAZxB8d62cyTKJi//QFpFbnfGuU+KfBYDGdTDFyfN4Q==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u282g-0001P6-K0; Tue, 08 Apr 2025 08:27:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77638] [PATCH 4/8] guix home: =?utf-8?b?4oCYY29udGFpbmVy4oCZ?= provides a read-only root file system. Resent-From: Ludovic =?utf-8?q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: andrew@trop.in, guix@cbaines.net, janneke@gnu.org, dev@jpoiret.xyz, ludo@gnu.org, othacehe@gnu.org, zimon.toutoune@gmail.com, tanguy@bioneland.org, me@tobias.gr, guix-patches@gnu.org Resent-Date: Tue, 08 Apr 2025 12:27:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77638 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77638@debbugs.gnu.org Cc: Ludovic =?utf-8?q?Court=C3=A8s?= , Andrew Tropin , Christopher Baines , Janneke Nieuwenhuizen , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tanguy Le Carrour , Tobias Geerinckx-Rice X-Debbugs-Original-Xcc: Andrew Tropin , Christopher Baines , Janneke Nieuwenhuizen , Josselin Poiret , Ludovic =?utf-8?q?Court=C3=A8s?= , Mathieu Othacehe , Simon Tournier , Tanguy Le Carrour , Tobias Geerinckx-Rice Received: via spool by 77638-submit@debbugs.gnu.org id=B77638.17441151835113 (code B ref 77638); Tue, 08 Apr 2025 12:27:02 +0000 Received: (at 77638) by debbugs.gnu.org; 8 Apr 2025 12:26:23 +0000 Received: from localhost ([127.0.0.1]:59685 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u281z-0001K6-Uj for submit@debbugs.gnu.org; Tue, 08 Apr 2025 08:26:22 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:51390) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u281v-0001Iw-ME for 77638@debbugs.gnu.org; Tue, 08 Apr 2025 08:26:16 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u281p-0007nj-MD; Tue, 08 Apr 2025 08:26:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:References:In-Reply-To:Date:Subject:To: From; bh=mmJw0Zh5+znXI+puzQtxhevBc4Izpw+pm8wBq8HRPNw=; b=nrM5Yjp8IntKXv/gdLMT 0wSGTaB1eQffuF8bn9dDe68Yk08qji4/4Xt8xKsXPKZNzE9e9rbX1vOlKPjT5psG6ZKO7DrjquQ9Q a0vq4YUbYkTS6AmKUhPFq4HIZ9/0o+b9+rfFJP4BsgOF49LOUai6be0mTp2bE8SfeLiwz2VWlF+YX 1nHav+ZZjm23xIFiz3rKjfmqNxCcgUiGjiTBEV5RjDWlMEn5DZ8mrpgpLHrg+DoDqTMzmTT1euvgM cQBRhBg/4HQDu/he/BjMj7XpLQQAb1FgaczCuarJEjO6NPkrlrhHR1CsxU+vLpbPs3GVGvxjf3miS a9g595UcPqH5rQ==; From: Ludovic =?utf-8?q?Court=C3=A8s?= Date: Tue, 8 Apr 2025 14:24:44 +0200 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * guix/scripts/home.scm (spawn-home-container): Move creation of accounts, /etc/hosts, /tmp, and HOME-DIRECTORY from the first argument of ‘eval/container’ to #:populate-file-system. Remove #:writable-root?. * tests/guix-home.sh: Test that the root file system is read-only. Change-Id: Icda54706321d51b95b563c86c3fb2238cc65ee20 --- guix/scripts/home.scm | 79 +++++++++++++++++++++---------------------- tests/guix-home.sh | 3 +- 2 files changed, 41 insertions(+), 41 deletions(-) diff --git a/guix/scripts/home.scm b/guix/scripts/home.scm index 7ce6217324..6fcb0ca382 100644 --- a/guix/scripts/home.scm +++ b/guix/scripts/home.scm @@ -34,6 +34,10 @@ (define-module (guix scripts home) home-shepherd-configuration-services shepherd-service-requirement) #:autoload (guix modules) (source-module-closure) + #:autoload (gnu build accounts) (password-entry + group-entry + write-passwd + write-group) #:autoload (gnu build linux-container) (call-with-container %namespaces) #:autoload (gnu system linux-container) (eval/container) #:autoload (gnu system file-systems) (file-system @@ -283,14 +287,13 @@ (define* (spawn-home-container home (with-extensions (list guile-gcrypt) (with-imported-modules `(((guix config) => ,(make-config.scm)) ,@(source-module-closure - '((gnu build accounts) - (guix profiles) + '((guix profiles) (guix build utils) (guix build syscalls)) #:select? not-config?)) #~(begin (use-modules (guix build utils) - (gnu build accounts) + ((guix profiles) #:select (load-profile)) ((guix build syscalls) #:select (set-network-interface-up))) @@ -300,46 +303,10 @@ (define* (spawn-home-container home (define term #$(getenv "TERM")) - (define passwd - (password-entry - (name #$user-name) - (real-name #$user-real-name) - (uid #$uid) (gid #$gid) (shell shell) - (directory #$home-directory))) - - (define groups - (list (group-entry (name "users") (gid #$gid)) - (group-entry (gid 65534) ;the overflow GID - (name "overflow")))) - - ;; (guix profiles) loads (guix utils), which calls 'getpw' from the - ;; top level. Thus, arrange so that it's loaded after /etc/passwd - ;; has been created. - (module-autoload! (current-module) - '(guix profiles) '(load-profile)) - - ;; Create /etc/passwd for applications that need it, such as mcron. - (mkdir-p "/etc") - (write-passwd (list passwd)) - (write-group groups) - - (unless #$network? - ;; When isolated from the network, provide a minimal /etc/hosts - ;; to resolve "localhost". - (call-with-output-file "/etc/hosts" - (lambda (port) - (display "127.0.0.1 localhost\n" port) - (chmod port #o444)))) - - ;; Create /tmp; bits of code expect it, such as - ;; 'least-authority-wrapper'. - (mkdir-p "/tmp") - ;; Set PATH for things that the activation script might expect, such ;; as "env". (load-profile #$system-profile) - (mkdir-p #$home-directory) (setenv "HOME" #$home-directory) (setenv "GUIX_NEW_HOME" #$home) (primitive-load (string-append #$home "/activate")) @@ -359,6 +326,39 @@ (define* (spawn-home-container home ((_ ...) #~("-c" #$(string-join command)))))))) + #:populate-file-system + (lambda () + ;; Create files before the root file system is made read-only. + (define passwd + (password-entry + (name user-name) + (real-name user-real-name) + (uid uid) (gid gid) + (shell "/bin/sh") ;unused, doesn't have to match (user-shell) + (directory home-directory))) + + (define groups + (list (group-entry (name "users") (gid gid)) + (group-entry (gid 65534) ;the overflow GID + (name "overflow")))) + + ;; Create /etc/passwd for applications that need it, such as mcron. + (mkdir-p "/etc") + (write-passwd (list passwd)) + (write-group groups) + + (unless network? + ;; When isolated from the network, provide a minimal /etc/hosts + ;; to resolve "localhost". + (call-with-output-file "/etc/hosts" + (lambda (port) + (display "127.0.0.1 localhost\n" port) + (chmod port #o444)))) + + ;; Create /tmp; bits of code expect it, such as + ;; 'least-authority-wrapper'. + (mkdir-p "/tmp")) + #:namespaces (if network? (delq 'net %namespaces) ; share host network %namespaces) @@ -375,7 +375,6 @@ (define* (spawn-home-container home (type "tmpfs") (check? #f))) #:mappings (append network-mappings mappings) - #:writable-root? #t #:guest-uid uid #:guest-gid gid)) diff --git a/tests/guix-home.sh b/tests/guix-home.sh index 649d811a0c..dbfe7dbd48 100644 --- a/tests/guix-home.sh +++ b/tests/guix-home.sh @@ -1,7 +1,7 @@ # GNU Guix --- Functional package management for GNU # Copyright © 2021-2023 Andrew Tropin # Copyright © 2021 Oleg Pykhalov -# Copyright © 2022, 2023 Ludovic Courtès +# Copyright © 2022-2023, 2025 Ludovic Courtès # # This file is part of GNU Guix. # @@ -132,6 +132,7 @@ EOF test -f '$HOME/sample/home.scm' guix home container home.scm --expose="$PWD=$HOME/sample" -- \ rm -v '$HOME/sample/home.scm' && false + guix home container home.scm -- touch /whatever && false else echo "'guix home container' test SKIPPED" >&2 fi