From patchwork Mon Mar 15 18:56:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Leo Famulari X-Patchwork-Id: 27848 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 96ABA27BC54; Mon, 15 Mar 2021 19:06:25 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS, T_DKIM_INVALID,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 8B96C27BC52 for ; Mon, 15 Mar 2021 19:06:24 +0000 (GMT) Received: from localhost ([::1]:37456 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lLsXn-0000RY-IU for patchwork@mira.cbaines.net; Mon, 15 Mar 2021 15:06:23 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52180) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lLsOm-0005HL-If for guix-patches@gnu.org; Mon, 15 Mar 2021 14:57:05 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:53870) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lLsOl-0006Ks-7Z for guix-patches@gnu.org; Mon, 15 Mar 2021 14:57:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lLsOk-0006Hx-H1 for guix-patches@gnu.org; Mon, 15 Mar 2021 14:57:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#47013] [PATCH] gnu: Harden filesystem links. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 15 Mar 2021 18:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47013 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 47013@debbugs.gnu.org Received: via spool by 47013-submit@debbugs.gnu.org id=B47013.161583458524105 (code B ref 47013); Mon, 15 Mar 2021 18:57:02 +0000 Received: (at 47013) by debbugs.gnu.org; 15 Mar 2021 18:56:25 +0000 Received: from localhost ([127.0.0.1]:37183 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lLsO2-0006Gd-HZ for submit@debbugs.gnu.org; Mon, 15 Mar 2021 14:56:25 -0400 Received: from wout5-smtp.messagingengine.com ([64.147.123.21]:54445) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lLsNz-0006GN-Ep for 47013@debbugs.gnu.org; Mon, 15 Mar 2021 14:56:16 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 4CBADEC7; Mon, 15 Mar 2021 14:56:09 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Mon, 15 Mar 2021 14:56:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=5DGF3TDawuy9WPWGkCKKHP5k J1Gt6eyapZAZhOHcE/Y=; b=jpe4nQDBhmI+rmGfr6szRtrrp6k7WRCZ2vUHs2fN X76yeJ4fyznOP99djYjwCtrNEgFyuZF2wkqU1n/McL8O0qoENxq6w8rWB8AAo/PG QCSG8Kefszb5HrkGEN1nR9OE2+Zo6qHtcAn8ARx1vYuqlPGmGuocxnPBFefYKAXR P8k= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=5DGF3T Dawuy9WPWGkCKKHP5kJ1Gt6eyapZAZhOHcE/Y=; b=Y0Sa+FLTBTO+4YhikH2lTW jrJK9BAOzyxoVIrNVqWWWPzCMzNejWZDYAs3cDA3MCTS84eW6xuGZqRGPP8WwABh C7JcfmQD8nQvuJ0CKX/BSLG6t+1CJJ9SwEIjnDXbUFqMZN7veaW2DYeh/D/bFQjH iLs34X4iAqmzpKs4GZWfD0/E5jDFin75mwMLw7ewhXCGAbjzCvm9befWCc1MGlPN EOfckwQTjwcv+ZloMhyzeQkw/XJPQqMBuDpVBfp6rk8lhTHzF04UWNZTz2l+9jBW gR+GEOoeUJc5/mjt6HySQELE0mmoTElAi42y2F1kKjEnmOacjL0iJM/LcfeFiHCQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledruddvledguddvtdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjsehgtd erredttddvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhl rghrihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpedukeevgeetkeeltefgiedtjefgje ekffduteehvdfhueekudelieekjeefheffteenucfkphepuddttddruddurdduieelrddu udeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplh gvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id AFE6C24005B for <47013@debbugs.gnu.org>; Mon, 15 Mar 2021 14:56:08 -0400 (EDT) Date: Mon, 15 Mar 2021 14:56:06 -0400 From: Leo Famulari Message-ID: References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches On Fri, Mar 12, 2021 at 05:51:21PM -0500, Leo Famulari wrote: > Does anyone know how we could make it possible for users to change these > new defaults? With assistance from roptat on #guix, I wrote these patches that work well and meet all the requirements I had in mind. Your thoughts? I'd like to push this soon. From 38f1aaf8b44739ccfb1f824c7fb85d4dc6b5d991 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Mon, 15 Mar 2021 14:51:52 -0400 Subject: [PATCH 1/2] services: sysctl: Add a service to set default kernel parameters. * gnu/services/sysctl.scm (default-sysctl-settings-service-type): New public variable. * doc/guix.texi (Miscellaneous Services): Document it. Co-authored-by: Julien Lepiller --- doc/guix.texi | 4 ++++ gnu/services/sysctl.scm | 13 ++++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/doc/guix.texi b/doc/guix.texi index 3e7ffc81bc..d468c6f742 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -31419,6 +31419,10 @@ An association list specifies kernel parameters and their values. @end table @end deftp +@defvr {Scheme Variable} default-sysctl-settings-service-type +The service type used to set default kernel parameters. +@end defvr + @cindex pcscd @subsubheading PC/SC Smart Card Daemon Service diff --git a/gnu/services/sysctl.scm b/gnu/services/sysctl.scm index eb7a61b2a9..83704084c3 100644 --- a/gnu/services/sysctl.scm +++ b/gnu/services/sysctl.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2017 Sou Bunnbu +;;; Copyright © 2021 Leo Famulari ;;; ;;; This file is part of GNU Guix. ;;; @@ -25,7 +26,8 @@ #:use-module (srfi srfi-1) #:use-module (ice-9 match) #:export (sysctl-configuration - sysctl-service-type)) + sysctl-service-type + default-sysctl-settings-service-type)) ;;; @@ -74,3 +76,12 @@ (settings (append (sysctl-configuration-settings config) settings))))) (default-value (sysctl-configuration)))) + +(define default-sysctl-settings-service-type +; "Return a service that is used to set default kernel parameters for Guix +; System." + (service-type + (name 'default-sysctl-settings) + (extensions + (list (service-extension sysctl-service-type + identity))))) -- 2.30.2 From 3040f0bb33439f041eed85e8c8e80bb52d6277cc Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Mon, 15 Mar 2021 14:31:48 -0400 Subject: [PATCH 2/2] system: Harden filesystem links. These sysctl options are enabled on most GNU/Linux distros, including Debian, Fedora, NixOS, and OpenSUSE. I've tested this options on Guix System for several weeks, and they don't appear to break anything. Plus, we know that Guix works on other distros that enable these restrictions. References: https://sysctl-explorer.net/fs/protected_hardlinks/ https://sysctl-explorer.net/fs/protected_symlinks/ * gnu/services/base.scm (%base-services): Add default-sysctl-settings-service-type. --- gnu/services/base.scm | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index f6a490f712..646ad800f4 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -3,7 +3,7 @@ ;;; Copyright © 2015, 2016 Alex Kost ;;; Copyright © 2015, 2016, 2020 Mark H Weaver ;;; Copyright © 2015 Sou Bunnbu -;;; Copyright © 2016, 2017 Leo Famulari +;;; Copyright © 2016, 2017, 2021 Leo Famulari ;;; Copyright © 2016 David Craven ;;; Copyright © 2016 Ricardo Wurmus ;;; Copyright © 2018 Mathieu Othacehe @@ -35,6 +35,7 @@ #:use-module (gnu services) #:use-module (gnu services admin) #:use-module (gnu services shepherd) + #:use-module (gnu services sysctl) #:use-module (gnu system pam) #:use-module (gnu system shadow) ; 'user-account', etc. #:use-module (gnu system uuid) @@ -2532,6 +2533,10 @@ to handle." (udev-configuration (rules (list lvm2 fuse alsa-utils crda)))) + (service default-sysctl-settings-service-type + '(("fs.protected_hardlinks" . "1") + ("fs.protected_symlinks" . "1"))) + (service special-files-service-type `(("/bin/sh" ,(file-append bash "/bin/sh")) ("/usr/bin/env" ,(file-append coreutils "/bin/env"))))))