From patchwork Mon Mar 8 20:50:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Leo Famulari X-Patchwork-Id: 27549 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 2F50C27BC51; Mon, 8 Mar 2021 20:51:10 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS, T_DKIM_INVALID,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id ED3EE27BC50 for ; Mon, 8 Mar 2021 20:51:08 +0000 (GMT) Received: from localhost ([::1]:44146 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lJMqK-0003Ul-1Q for patchwork@mira.cbaines.net; Mon, 08 Mar 2021 15:51:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:40020) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lJMqE-0003Tu-9w for guix-patches@gnu.org; Mon, 08 Mar 2021 15:51:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:33459) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lJMqE-0000dy-30 for guix-patches@gnu.org; Mon, 08 Mar 2021 15:51:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lJMqE-0002eF-2F for guix-patches@gnu.org; Mon, 08 Mar 2021 15:51:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#47013] [PATCH] gnu: Harden filesystem links. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 08 Mar 2021 20:51:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 47013 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 47013@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.161523663910147 (code B ref -1); Mon, 08 Mar 2021 20:51:01 +0000 Received: (at submit) by debbugs.gnu.org; 8 Mar 2021 20:50:39 +0000 Received: from localhost ([127.0.0.1]:45005 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJMpm-0002dX-0T for submit@debbugs.gnu.org; Mon, 08 Mar 2021 15:50:39 -0500 Received: from lists.gnu.org ([209.51.188.17]:45320) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lJMpg-0002dJ-VY for submit@debbugs.gnu.org; Mon, 08 Mar 2021 15:50:32 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:39850) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lJMpc-0003E8-01 for guix-patches@gnu.org; Mon, 08 Mar 2021 15:50:28 -0500 Received: from out3-smtp.messagingengine.com ([66.111.4.27]:35627) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lJMpO-0000JA-Tt for guix-patches@gnu.org; Mon, 08 Mar 2021 15:50:18 -0500 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 512A75C0121; Mon, 8 Mar 2021 15:50:09 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Mon, 08 Mar 2021 15:50:09 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=from:to:subject:date:message-id:mime-version:content-type :content-transfer-encoding; s=mesmtp; bh=8zTuNoG+rWAaQqBD8BqnrRA OAEkP7y1Fcx3Lc0Z3Pvs=; b=x1eWo/m0w3VqKaN/hJ+hGkRtgpWXK8KYqLjV/RO 8cY8rCjlhg5XccHkAnwUyZewfcxu6zauebWq5/lqCzD3VA0fW7m5xXoNtVOKAyl4 da76o1pMmr1hfb020Sv5TzLDJgBBBZ+B1svH1hFLl3eTXwhRbI6g5mpwSNUm5Epx qj6A= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=8zTuNo G+rWAaQqBD8BqnrRAOAEkP7y1Fcx3Lc0Z3Pvs=; b=mM7hMnDai6okzBsiTTLtzG DKvXlmhJGrE4wm7DgIUwKDq4ajvixnD4xvlYKBnWHRGbqV/L6yugqzPxXZ1+F4C2 s7Ww7JgOmBHlzWx16CJXfxbf9eZoHkv9raiuvv4n1lpoBWbOV5U7TFLWnffo8NZM jIcdmr37K9spefB2D7vSIPoJY6cqlXlTVKDTBkBNKLg6cOt9i4kj8sM1zmoQBS8c TCXA/o9FlPWisZxyoOUxQPZ6KouMl8HdXR5cj/aPPoc/6EXVcUgudM8YZZr+cSYI vD2GEL2aRnLCfPMg29EOJEruSn9oJaU82mNAfZYFReQ1KqANpfwmxXuEKPClrvfQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledruddugedgjeehucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffufffkofggtgfgsehtkeertd ertdejnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr ihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpedtfedvlefftefhtdeffeegkeevjeettd fgheehgfevffehhfeivdehueeujeeifeenucffohhmrghinhepshihshgtthhlqdgvgihp lhhorhgvrhdrnhgvthenucfkphepuddttddruddurdduieelrdduudeknecuvehluhhsth gvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgr rhhirdhnrghmvg X-ME-Proxy: Received: from jasmine.lan (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 2FF4B108005F for ; Mon, 8 Mar 2021 15:50:09 -0500 (EST) From: Leo Famulari Date: Mon, 8 Mar 2021 15:50:03 -0500 Message-Id: <7072c80a192f3c136cb70da4a0662d77ce508b56.1615236603.git.leo@famulari.name> X-Mailer: git-send-email 2.30.1 MIME-Version: 1.0 Received-SPF: pass client-ip=66.111.4.27; envelope-from=leo@famulari.name; helo=out3-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches These sysctl options are enabled on most GNU/Linux distros, including Debian, Fedora, NixOS, and OpenSUSE. I've tested this patch on Guix System for several weeks, and it doesn't appear to break anything. Plus, we know that Guix works on other distros that enable these restrictions. References: https://sysctl-explorer.net/fs/protected_hardlinks/ https://sysctl-explorer.net/fs/protected_symlinks/ * gnu/services/base.scm (%base-services): Add a default sysctl-configuration that enables fs.protected_hardlinks and fs.protected_symlinks. --- gnu/services/base.scm | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index f6a490f712..edd2c8e355 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -3,7 +3,7 @@ ;;; Copyright © 2015, 2016 Alex Kost ;;; Copyright © 2015, 2016, 2020 Mark H Weaver ;;; Copyright © 2015 Sou Bunnbu -;;; Copyright © 2016, 2017 Leo Famulari +;;; Copyright © 2016, 2017, 2021 Leo Famulari ;;; Copyright © 2016 David Craven ;;; Copyright © 2016 Ricardo Wurmus ;;; Copyright © 2018 Mathieu Othacehe @@ -35,6 +35,7 @@ #:use-module (gnu services) #:use-module (gnu services admin) #:use-module (gnu services shepherd) + #:use-module (gnu services sysctl) #:use-module (gnu system pam) #:use-module (gnu system shadow) ; 'user-account', etc. #:use-module (gnu system uuid) @@ -2532,6 +2533,12 @@ to handle." (udev-configuration (rules (list lvm2 fuse alsa-utils crda)))) + (service sysctl-service-type + (sysctl-configuration + (settings + '(("fs.protected_hardlinks" . "1") + ("fs.protected_symlinks" . "1"))))) + (service special-files-service-type `(("/bin/sh" ,(file-append bash "/bin/sh")) ("/usr/bin/env" ,(file-append coreutils "/bin/env"))))))