From patchwork Thu May 1 08:29:34 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rutherther X-Patchwork-Id: 42201 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 773EA27BC4B; Thu, 1 May 2025 09:30:30 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FROM_SUSPICIOUS_NTLD,MAILING_LIST_MULTI,PDS_OTHER_BAD_TLD, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL, RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 3A68D27BC49 for ; Thu, 1 May 2025 09:30:30 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uAPJ0-0006s7-H6; Thu, 01 May 2025 04:30:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uAPIx-0006qf-94 for guix-patches@gnu.org; Thu, 01 May 2025 04:30:03 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1uAPIw-0004rP-Tr for guix-patches@gnu.org; Thu, 01 May 2025 04:30:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=OiIqf7eizeW3H1adxMWnpPChlHOAsxp3CHcuSKnzc/Q=; b=InJLBzsYx9zBMrqBdF63XbCAejetc7/4Mg4vYmU1KPqueDEpr5PNs2q2uyGm9h6ldaOI9z1ZxtbebTIowaoI4sR+npScry4xjNQ6m6V7pqbiXN96UP7eaRkM0gh1CRdYnIoGYoiwjTZ8Rsau+JZPfjnlolOvhgI/B+Rs6/aizzCKi8PtAjOcWv8pJhZwf0W6HG5YU+9ee8mh9t1KkrVnxJWmgzwKTlPWnExxmQuQdZFk3DQoTvhpe6/v6gK0ZRDrMwVGrpBjrArvP1XOLE1jviO6FNzMwCfqlCjNVYMsdH2Tj9MIEy7vWwtAQbilyXPPHM8FyoXJsI7dvOJBIBoosg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1uAPIw-0005ve-Ip for guix-patches@gnu.org; Thu, 01 May 2025 04:30:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#78179] [PATCH 1/4] gnu: %privileged-program-directory: Export variable. Resent-From: Rutherther Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 01 May 2025 08:30:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 78179 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 78179@debbugs.gnu.org Cc: Rutherther Received: via spool by 78179-submit@debbugs.gnu.org id=B78179.174608819722725 (code B ref 78179); Thu, 01 May 2025 08:30:02 +0000 Received: (at 78179) by debbugs.gnu.org; 1 May 2025 08:29:57 +0000 Received: from localhost ([127.0.0.1]:48387 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uAPIq-0005uM-Rw for submit@debbugs.gnu.org; Thu, 01 May 2025 04:29:57 -0400 Received: from ditigal.xyz ([2a01:4f8:1c1b:6a1c::]:59382 helo=mail.ditigal.xyz) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uAPIo-0005tq-JO for 78179@debbugs.gnu.org; Thu, 01 May 2025 04:29:55 -0400 Received: by cerebrum (OpenSMTPD) with ESMTPSA id 36f941b1 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Thu, 1 May 2025 08:29:47 +0000 (UTC) Date: Thu, 1 May 2025 10:29:34 +0200 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ditigal.xyz; i=@ditigal.xyz; q=dns/txt; s=20240917; t=1746088187; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : from; bh=zsYDTyyQWYvJS+N4IB1s22QpSm5aSE/AtSCAJ1ligcg=; b=mLFHFFyGQ7NCNoIjMde9DL/DdX+P/FqcTN7D0Gz8YLGnz/WkBG+RhmSyM4OyzCQAgUrXE ngtYRfsrq0wb/yIm1QPSU83svf8aV6g+RtUvOcQ8mvszamgcqAPXytIjSNVfgA0kGwHXWvT 945+Qq9+188GXqKZXLiZrNb7pQxzbEI= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Rutherther X-ACL-Warn: , Rutherther via Guix-patches X-Patchwork-Original-From: Rutherther via Guix-patches via From: Rutherther Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/build/activation.scm (%privileged-program-directory): Export. Change-Id: I4929b35d9d1fc72aaae68e40cc144d1589fab0b2 --- gnu/build/activation.scm | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm index 272a789291..e8a70dc739 100644 --- a/gnu/build/activation.scm +++ b/gnu/build/activation.scm @@ -50,7 +50,9 @@ (define-module (gnu build activation) activate-firmware activate-ptrace-attach activate-current-system - mkdir-p/perms)) + mkdir-p/perms + + %privileged-program-directory)) ;;; Commentary: ;;; From patchwork Thu May 1 08:29:35 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rutherther X-Patchwork-Id: 42199 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id BB2D927BC4B; Thu, 1 May 2025 09:30:11 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FROM_SUSPICIOUS_NTLD,MAILING_LIST_MULTI,PDS_OTHER_BAD_TLD, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL, RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 1EF2F27BC49 for ; Thu, 1 May 2025 09:30:11 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uAPJ2-0006tP-WE; Thu, 01 May 2025 04:30:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uAPIy-0006r5-0n for guix-patches@gnu.org; Thu, 01 May 2025 04:30:04 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1uAPIx-0004sb-Jc for guix-patches@gnu.org; Thu, 01 May 2025 04:30:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=d07lv2T8aISCnnIxWm5Xr7rhEf5Xx/1a1Ncz+CITWTg=; b=IiGU2BelGXvObrmptYNBZfKBI7YSc8WtB3MN+nOna5npKxhJXRgXD4rPOxrD8EmsOUT4oXaZZZkywQT/r0CBRsUkHHhWHBsun15okcki74UnuvlHKR9rTJ+SY61dimZy/NzYW8EhXmr6b1QRePjpK4wDLStbThnsu/Zf5hj5WPFp1S2tQLrKl1VDNcuiQRy1aUUduDMe4l3njAZkBcYgq294eizY9k86QvWQ89cLvvlP8DqrPg9lvjYJ41a0QgNLt+jVDgv6HLzKAkiy36fdDXexU7EpCRjfX3009HZoGNc7X/RJUJfLBJ4k7cXNrhNE2alcpmxiTMs1BAQrLwJZMQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1uAPIx-0005x4-BQ for guix-patches@gnu.org; Thu, 01 May 2025 04:30:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#78179] [PATCH 2/4] guix: Add (guix build privileged) module. Resent-From: Rutherther Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 01 May 2025 08:30:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 78179 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 78179@debbugs.gnu.org Cc: Rutherther Received: via spool by 78179-submit@debbugs.gnu.org id=B78179.174608820022740 (code B ref 78179); Thu, 01 May 2025 08:30:03 +0000 Received: (at 78179) by debbugs.gnu.org; 1 May 2025 08:30:00 +0000 Received: from localhost ([127.0.0.1]:48391 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uAPIt-0005uh-Nn for submit@debbugs.gnu.org; Thu, 01 May 2025 04:30:00 -0400 Received: from ditigal.xyz ([2a01:4f8:1c1b:6a1c::]:59382 helo=mail.ditigal.xyz) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uAPIp-0005tq-E5 for 78179@debbugs.gnu.org; Thu, 01 May 2025 04:29:56 -0400 Received: by cerebrum (OpenSMTPD) with ESMTPSA id 07030669 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Thu, 1 May 2025 08:29:49 +0000 (UTC) Date: Thu, 1 May 2025 10:29:35 +0200 Message-ID: <3ae3ac7b699eaacde6091d05ece786a536872066.1746086472.git.rutherther@ditigal.xyz> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ditigal.xyz; i=@ditigal.xyz; q=dns/txt; s=20240917; t=1746088189; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : from; bh=zFQACv1NOIre/4ZdTlLE37rolkB86rBtIF/BgdknECc=; b=CA8E/iwGz4oDBCqEOwkvsTd/g0DD1LJf4I0mAjF/ygL53+BW2AgkBDu1QzVYA9nppOgCk Dvf1rsUtjXomcPZmuS1AnbuxG82F6Xd+RG4BiK1D+EnyToE7tTUHysHpf5+93KuMzySfPoG NIiSWjeAU4CCp8/iNE6hnOqQHRAH7qc= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Rutherther X-ACL-Warn: , Rutherther via Guix-patches X-Patchwork-Original-From: Rutherther via Guix-patches via From: Rutherther Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Wireshark refers to #$output/bin/dumpcap to start dumpcap. This means it's problematic to make a service for it that would add dumpcap to privileged programs. This procedure introduces a possibility to replace a file in the output with a script that will try to execute binary in /run/privileged/bin first, and fallback to the original one from store. This ensures the package works on both Guix System and foreign distros. The downside is that /run/privileged/bin will be executed every time, so it would be impossible to test different versions of the packages. To overcome that, GUIX_SKIP_PRIVILEGED variable is introduced, and if set, the original dumpcap will be used. * guix/build/privileged.scm (unwrap): Removes wrapping by wrap-program * guix/build/privileged.scm (wrap-privileged): Make a shell script for a program that needs privileges Change-Id: Ieacd7f2d80c5b6ecba74d9309cb2c5a6d556aa8e --- guix/build/privileged.scm | 48 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 guix/build/privileged.scm diff --git a/guix/build/privileged.scm b/guix/build/privileged.scm new file mode 100644 index 0000000000..6a456e02c0 --- /dev/null +++ b/guix/build/privileged.scm @@ -0,0 +1,48 @@ +(define-module (guix build privileged) + #:use-module (gnu build activation) + #:use-module (guix build utils) + #:use-module (ice-9 format) + #:export (wrap-privileged)) + +;;; Move .xxx-real to xxx, if it exists. +(define (unwrap binary) + (let* ((name (basename binary)) + (folder (dirname binary)) + (real (string-append folder "/." name "-real"))) + (when (file-exists? real) + (format #t "Unwrapping ~a~%" binary) + (rename-file real binary)))) + +;;; +;;; 1. Move {output}/{original} to {output}/{target-folder}/{target-name}. +;;; 2. Make a script at original-binary that executes /run/privileged/bin/{target-name} +;;; if it exists, if not, output/{target-folder}/{target-name} is executed. +;;; +(define* (wrap-privileged output + original + target-name + #:key + (unwrap? #t) + (target-folder "privileged") + (privileged-directory %privileged-program-directory)) + "Make a shell wrapper for binary that should be ran as privileged. + +The wrapper script will try executing binary in /run/privileged/bin, if it exists, +and if not, it will fall back to the original." + (let ((original-file (string-append output "/" original)) + (target-file (string-append output "/" target-folder "/" target-name)) + (privileged-file (string-append privileged-directory "/" target-name))) + (when unwrap? + (unwrap original-file)) + (mkdir-p (dirname target-file)) + (rename-file original-file target-file) + (call-with-output-file original-file + (lambda (port) + (format port "#!/usr/bin/env bash +if [[ -z \"$GUIX_SKIP_PRIVILEGED\" && -f \"~a\" ]]; then + exec -a \"$0\" \"~a\" \"$@\" +fi + +exec -a \"$0\" \"~a\" \"$@\" +" privileged-file privileged-file target-file) + (chmod port #o555))))) From patchwork Thu May 1 08:29:36 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rutherther X-Patchwork-Id: 42200 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id E3BDE27BC4B; Thu, 1 May 2025 09:30:28 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FROM_SUSPICIOUS_NTLD,MAILING_LIST_MULTI,PDS_OTHER_BAD_TLD, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL, RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 8B00327BC49 for ; Thu, 1 May 2025 09:30:28 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uAPJ3-0006vo-Fr; Thu, 01 May 2025 04:30:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uAPIz-0006sG-Tr for guix-patches@gnu.org; Thu, 01 May 2025 04:30:06 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1uAPIz-0004uJ-GS for guix-patches@gnu.org; Thu, 01 May 2025 04:30:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=MqRrWCV8Oea1MJmtrI5yz9A2VvObg69PeVbIxzMrdgo=; b=K2gbJUuL+qwEDmBZeN2W+s3j0B+LYGta52NmNBNfIY52GAxEwZYD9j9bmb7flN0maCUm1NZxWmnr7LPBGSOrIEi65IGidCAnBRucIjmPO77cDuEOGsLg78ZQQ/DbKxF2wYnDb1Qo4zqliwHhrTps+gYY4rseeX3qMYCFasiF7NN5QoWvTrLBcnqqRJwB6uxMgouQs9hFyIVn2veCSUAdRs6+yzYTSRyybV3yjtRcHWpvRsUY6PmhfJydD2pNlnseQoAnvkZWtkNEMDPSziWPvrzgSudXaqBseTot7Tvf1qLg5UH9onIlVZIHqShJo43ZLEVAVK2Ml64oZHmpcjBhRQ==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1uAPIz-00060H-9v for guix-patches@gnu.org; Thu, 01 May 2025 04:30:05 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#78179] [PATCH 3/4] gnu: wireshark: Wrap dumpcap with wrap-privileged. Resent-From: Rutherther Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 01 May 2025 08:30:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 78179 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 78179@debbugs.gnu.org Cc: Rutherther Received: via spool by 78179-submit@debbugs.gnu.org id=B78179.174608820122773 (code B ref 78179); Thu, 01 May 2025 08:30:05 +0000 Received: (at 78179) by debbugs.gnu.org; 1 May 2025 08:30:01 +0000 Received: from localhost ([127.0.0.1]:48395 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uAPIu-0005us-NL for submit@debbugs.gnu.org; Thu, 01 May 2025 04:30:01 -0400 Received: from ditigal.xyz ([78.46.201.50]:53198 helo=mail.ditigal.xyz) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uAPIp-0005tw-S5 for 78179@debbugs.gnu.org; Thu, 01 May 2025 04:29:57 -0400 Received: by cerebrum (OpenSMTPD) with ESMTPSA id 4d1bf36f (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Thu, 1 May 2025 08:29:52 +0000 (UTC) Date: Thu, 1 May 2025 10:29:36 +0200 Message-ID: <9df66aad0fb0acd1419c1a805896ad1d8ba174b0.1746086472.git.rutherther@ditigal.xyz> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ditigal.xyz; i=@ditigal.xyz; q=dns/txt; s=20240917; t=1746088192; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : from; bh=UVd0wUvTqBuRE2zB5wHwNY8uXeWJ01Ny4MsQy791Za8=; b=DS9StrURv9Q1crkOoecp5UdIOzBmthbomNKaHdEVdy26ehFM2+IUVZMJnM2jqFYwZZAdn vMiCrBsj2TP804T9NqLbVLzdhU4VBvoxoNJjhu1tzuZDFl9SDuBnGUYTpzclHoG4jdtZNGh zxEcs21izIm8QmhVQlAPmxoFzbdIo9Q= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Rutherther X-ACL-Warn: , Rutherther via Guix-patches X-Patchwork-Original-From: Rutherther via Guix-patches via From: Rutherther Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Wraps Wireshark so that dumpcap can be made a privileged program. The ...wireshark/bin/dumpcap will be a shell script that tries to execute /run/privileged/bin/dumpcap first and falls back to the original dumpcap that is stored in ...wireshark/privileged/dumpcap. * gnu/packages/networking.scm (wireshark)[modules]: Add guix build privileged. * gnu/packages/networking.scm (wireshark)[imported-modules]: Add guix build privileged. * gnu/packages/networking.scm (wireshark)[inputs]: Add bash. * gnu/packages/networking.scm (wireshark)[phases]: Add wrap-dumpcap phase executing wrap-privileged. Change-Id: Ia19670d0372af40c01a26c1d15f41ce668ce023d --- gnu/packages/networking.scm | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm index 2a27474826..f957cc02e5 100644 --- a/gnu/packages/networking.scm +++ b/gnu/packages/networking.scm @@ -87,6 +87,7 @@ (define-module (gnu packages networking) #:use-module ((guix licenses) #:prefix license:) #:use-module (guix packages) #:use-module (guix download) + #:use-module (guix modules) #:use-module (guix gexp) #:use-module (guix git-download) #:use-module (guix build-system cmake) @@ -1829,6 +1830,11 @@ (define-public wireshark (build-system qt-build-system) (arguments (list + #:modules `((guix build privileged) + (guix build qt-build-system) + (guix build utils)) + #:imported-modules `(,@(source-module-closure '((guix build privileged))) + ,@%qt-build-system-modules) ;; This causes the plugins to register runpaths for the wireshark ;; libraries, which would otherwise cause the validate-runpath phase to ;; fail. @@ -1844,9 +1850,16 @@ (define-public wireshark (invoke "ctest" "-VV" "-j" (if parallel-tests? (number->string (parallel-job-count)) - "1")))))))) + "1"))))) + (add-after 'qt-wrap 'wrap-dumpcap + (lambda _ + (wrap-privileged + #$output + "bin/dumpcap" + "dumpcap")))))) (inputs - (list c-ares + (list bash + c-ares glib gnutls brotli From patchwork Thu May 1 08:29:37 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rutherther X-Patchwork-Id: 42202 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id D56E127BC4B; Thu, 1 May 2025 09:30:43 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,FROM_SUSPICIOUS_NTLD,MAILING_LIST_MULTI,PDS_OTHER_BAD_TLD, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL, RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 569CA27BC49 for ; Thu, 1 May 2025 09:30:43 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1uAPJ3-0006u6-1U; Thu, 01 May 2025 04:30:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uAPIy-0006ra-MZ for guix-patches@gnu.org; Thu, 01 May 2025 04:30:04 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1uAPIy-0004t6-CD for guix-patches@gnu.org; Thu, 01 May 2025 04:30:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=HvtqxdUhB1XZhD2YEOg09WfD7tw1zYGhLDzD3Eewz1I=; b=Gxi1plHsa6+uPSAQ/vtTnUfGpEGF9mcivkEdqIgUkKGxr3Q231zYhPpICqsceCspTBlU3tKY3ZUpF/yY4sys0kdXslQeHbacfYQLA7DiUkNEikCiIwJ7p81vfJTCBN7x/0EuHPdi1XKvXOoEP2i0eg18/+gnf0gHYIMY7zIFXZwy36VXAtb+wVUqD/mafcE2bxyGhRwxG80+o6pe8e+ioOspLMsC6SjJhfJMug3k9ma4SgA+NB9pvj/J4gQja7I34aD5S2Ihsvk7LTy4hwN2FHUymdLmv85sJPSU+Eq9covCRe8thvYU/mJOWjd3R3Wh03fqsCbNov8eZW5yhzzqhg==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1uAPIy-0005yo-76 for guix-patches@gnu.org; Thu, 01 May 2025 04:30:04 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#78179] [PATCH 4/4] services: Add wireshark-service-type. Resent-From: Rutherther Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 01 May 2025 08:30:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 78179 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 78179@debbugs.gnu.org Cc: Rutherther Received: via spool by 78179-submit@debbugs.gnu.org id=B78179.174608820022748 (code B ref 78179); Thu, 01 May 2025 08:30:04 +0000 Received: (at 78179) by debbugs.gnu.org; 1 May 2025 08:30:00 +0000 Received: from localhost ([127.0.0.1]:48393 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uAPIu-0005uj-5M for submit@debbugs.gnu.org; Thu, 01 May 2025 04:30:00 -0400 Received: from ditigal.xyz ([2a01:4f8:1c1b:6a1c::]:59382 helo=mail.ditigal.xyz) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uAPIq-0005tq-CL for 78179@debbugs.gnu.org; Thu, 01 May 2025 04:29:57 -0400 Received: by cerebrum (OpenSMTPD) with ESMTPSA id d571cb5d (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); Thu, 1 May 2025 08:29:54 +0000 (UTC) Date: Thu, 1 May 2025 10:29:37 +0200 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ditigal.xyz; i=@ditigal.xyz; q=dns/txt; s=20240917; t=1746088194; h=from : to : cc : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : from; bh=OQ+1oVJH9DYNtDsZlfVLQrkHCCfRCONFPmRyczTdx8w=; b=h68UHR/MTagT725lVxE7dvIezFUfhrU0c3gRVrEMs9dFEIGaQIZtMnn++t+7oZwj+yFgl j9kMA5rtxrjscT1dLLoSUvUqubnQ37LMJb7VzzN/++1YQgHTXEhHP+IaoiZtv53m8KbT/vq W4doxqz1I94vnA2ReJsF5bR6sfznQNs= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-to: Rutherther X-ACL-Warn: , Rutherther via Guix-patches X-Patchwork-Original-From: Rutherther via Guix-patches via From: Rutherther Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches Adds wireshark service that puts wireshark to the profile and dumpcap to privileged programs so that any user can use wireshark on the system. * gnu/services/networking.scm (wireshark-configuration): New variable. * gnu/services/networking.scm (wireshark-privileged-program): New variable. * gnu/services/networking.scm (wireshark-service-type): New variable. Change-Id: Id4b0ce02fecc43592784bf22aaafa83b63c599d4 --- gnu/services/networking.scm | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm index 67653e2cbf..cd418f5f16 100644 --- a/gnu/services/networking.scm +++ b/gnu/services/networking.scm @@ -51,6 +51,7 @@ (define-module (gnu services networking) #:use-module (gnu system shadow) #:use-module (gnu system pam) #:use-module ((gnu system file-systems) #:select (file-system-mapping)) + #:use-module (gnu system privilege) #:use-module (gnu packages admin) #:use-module (gnu packages base) #:use-module (gnu packages bash) @@ -290,7 +291,12 @@ (define-module (gnu services networking) keepalived-configuration keepalived-configuration? - keepalived-service-type)) + keepalived-service-type + + wireshark-configuration + wireshark-configuration? + wireshark-configuration-wireshark + wireshark-service-type)) ;;; Commentary: ;;; @@ -2726,4 +2732,31 @@ (define keepalived-service-type "Run @uref{https://www.keepalived.org/, Keepalived} routing software."))) +(define-configuration wireshark-configuration + (wireshark + (file-like wireshark) + "wireshark package.") + (no-serialization)) + +(define (wireshark-privileged-programs config) + (list + (privileged-program + (program + (file-append (wireshark-configuration-wireshark config) "/privileged/dumpcap")) + (capabilities "cap_net_raw,cap_net_admin=eip")))) + +(define wireshark-service-type + (service-type + (name 'wireshark) + (extensions + (list + (service-extension profile-service-type + (compose list wireshark-configuration-wireshark)) + (service-extension privileged-program-service-type + wireshark-privileged-programs))) + (default-value (wireshark-configuration)) + (description "Run wireshark. https://www.wireshark.org/ + +All users of the system will be able to run dumpcap without special permissions."))) + ;;; networking.scm ends here