From patchwork Wed Mar 17 02:14:00 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Leo Famulari <leo@famulari.name>
X-Patchwork-Id: 27890
Return-Path: <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-Original-To: patchwork@mira.cbaines.net
Delivered-To: patchwork@mira.cbaines.net
Received: by mira.cbaines.net (Postfix, from userid 113)
	id C4DCE27BC55; Wed, 17 Mar 2021 02:15:22 +0000 (GMT)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,
	T_DKIM_INVALID,URIBL_BLOCKED autolearn=unavailable autolearn_force=no
	version=3.4.2
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	by mira.cbaines.net (Postfix) with ESMTPS id DE08227BC56
	for <patchwork@mira.cbaines.net>; Wed, 17 Mar 2021 02:15:20 +0000 (GMT)
Received: from localhost ([::1]:43698 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>)
	id 1lMLiS-0001MC-2U
	for patchwork@mira.cbaines.net; Tue, 16 Mar 2021 22:15:20 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:56480)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lMLiB-0001M2-3F
 for guix-patches@gnu.org; Tue, 16 Mar 2021 22:15:03 -0400
Received: from debbugs.gnu.org ([209.51.188.43]:58253)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lMLiA-0004qN-AP
 for guix-patches@gnu.org; Tue, 16 Mar 2021 22:15:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1lMLiA-0002ZC-5E
 for guix-patches@gnu.org; Tue, 16 Mar 2021 22:15:02 -0400
X-Loop: help-debbugs@gnu.org
Subject: [bug#47013] [PATCH v4] gnu: Harden filesystem links.
Resent-From: Leo Famulari <leo@famulari.name>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Wed, 17 Mar 2021 02:15:02 +0000
Resent-Message-ID: <handler.47013.B47013.16159472549798@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 47013
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: Ludovic =?utf-8?q?Court=C3=A8s?= <ludo@gnu.org>
Cc: 47013@debbugs.gnu.org
Received: via spool by 47013-submit@debbugs.gnu.org id=B47013.16159472549798
 (code B ref 47013); Wed, 17 Mar 2021 02:15:02 +0000
Received: (at 47013) by debbugs.gnu.org; 17 Mar 2021 02:14:14 +0000
Received: from localhost ([127.0.0.1]:41566 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1lMLhO-0002Xx-8d
 for submit@debbugs.gnu.org; Tue, 16 Mar 2021 22:14:14 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:53095)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1lMLhI-0002Xg-M0
 for 47013@debbugs.gnu.org; Tue, 16 Mar 2021 22:14:12 -0400
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
 by mailout.nyi.internal (Postfix) with ESMTP id A95615C009F;
 Tue, 16 Mar 2021 22:14:02 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute3.internal (MEProxy); Tue, 16 Mar 2021 22:14:02 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-type:in-reply-to; s=mesmtp; bh=rim2so16K+D3evYqzCGcB4WS
 IAAS1qyVgrndCDQCAKg=; b=k6uPxZzUAIBi3yj/Vte8JNHaXd7byJzbq6AywtpC
 lEuYj7CPTHzG5IlRtbTFKe8ocbuFBP94D2mN4R5f4l2AC5zAA58CN9daYrwsnHi/
 kxVYF/YIBZZr8j3HPuTS+8eSfTxZ8QmoIJvL9anX0qoNjaVdH+jCEqPMnkklCigN
 mFs=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=rim2so
 16K+D3evYqzCGcB4WSIAAS1qyVgrndCDQCAKg=; b=MnosfO9lvleRKTEW2TXTfP
 Zra1Sgc0T6IjHnbgtNYvTMKzddjBni1Q3rZHxlUl5dc/f2Fhg0dLkxE9EosRf0H9
 qcC37uxMi/ph5g6DOIfOCnkB6mZS8virINl8A6FvMh7AfonTbTPstoAFvMRrRZnk
 aZiab6cSRnmlqCtfH7jA+5qjavZeVSpu8Tz0R7aYrEnpNCS0DvYpiJDRUzqmOyX5
 NgOVTm6ypkAZDneXKkYsjfyL2Shf8ozr8NOZhPnm6me7xg+YZhZc0beiWtTJwbah
 cXcibmL3UwvuJrZdul+g1OiBO3XDy57UQQz7BrmgvTiSUPgBnDb0UwKmvukFuT7w
 ==
X-ME-Sender: <xms:6mVRYNqFVDI3zGbscY0WLUlaLdvDwxJ_ieHr3NXSzcGlaXIdY5EIeg>
 <xme:6mVRYPr1LBckS8gyjn_fVDX_Q5ABk_RbaNj7Z345tXScK56JTkri2VIMm4iLId8_V
 5ubOGZNWQUDYOAs3w>
X-ME-Proxy-Cause: 
 gggruggvucftvghtrhhoucdtuddrgeduledrudeffedggedtucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
 cujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefnvghoucfh
 rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtth
 gvrhhnpedukeevgeetkeeltefgiedtjefgjeekffduteehvdfhueekudelieekjeefheff
 teenucfkphepuddttddruddurdduieelrdduudeknecuvehluhhsthgvrhfuihiivgeptd
 enucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg
X-ME-Proxy: <xmx:6mVRYKOv-8jVgGm1aKkm3vVM00cWll801dhuXUnPb0iMhCJJl052Sg>
 <xmx:6mVRYI6mHTzTysoHz8x1SNxzhkvgzLryHj33FdxEUqKXvc0cEOpNFA>
 <xmx:6mVRYM5CbyeC6763F3yDAy3F7-jF-WEmPoeVfQbw5M-smW8PlJ9OGQ>
 <xmx:6mVRYBUueCxJ0aeIukaiOxtCqPyXjzIeliJk4U3jqToN2_EPBSYbAw>
Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net
 [100.11.169.118])
 by mail.messagingengine.com (Postfix) with ESMTPA id 44CDA1080064;
 Tue, 16 Mar 2021 22:14:02 -0400 (EDT)
Date: Tue, 16 Mar 2021 22:14:00 -0400
From: Leo Famulari <leo@famulari.name>
Message-ID: <YFFl6C4hBQTLBXNO@jasmine.lan>
References: <YEvlv7v2LawKE0rF@jasmine.lan> <YEvwaTcZTyzk8O/U@jasmine.lan>
 <8735wu7nf9.fsf_-_@gnu.org> <YFFTXPcse7S9w8Q4@jasmine.lan>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <YFFTXPcse7S9w8Q4@jasmine.lan>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org
Sender: "Guix-patches"
 <guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org>
X-getmail-retrieved-from-mailbox: Patches

On Tue, Mar 16, 2021 at 08:54:52PM -0400, Leo Famulari wrote:
> As a compromise, we could create a new variable %default-sysctl-settings
> and add a sysctl-service-type in %base-services that uses that variable.

Here is a v4 patch that implements this. I wasn't sure where to put
%default-sysctl-settings, so it's in (gnu services sysctl).

From my naive perspective, it seemed to me that it belongs in (gnu
system), but when I exported it from there, and imported (gnu system) in
(gnu services base), building Guix crashes like this:

------
[ 12%] LOAD     guix/scripts/system.scm
ice-9/eval.scm:293:34: error: %default-sysctl-settings: unbound variable
hint: Did you forget `(use-modules (gnu system))'?

make[2]: *** [Makefile:6304: make-go] Error 1
------
From 7c95b94918c0f119a16a9859b250bdc65054f646 Mon Sep 17 00:00:00 2001
From: Leo Famulari <leo@famulari.name>
Date: Tue, 16 Mar 2021 21:36:36 -0400
Subject: [PATCH v4] system: Harden filesystem links.

These sysctl options are enabled on most GNU/Linux distros, including
Debian, Fedora, NixOS, and OpenSUSE.

I've tested this options on Guix System for several weeks, and they
don't appear to break anything. Plus, we know that Guix works on other
distros that enable these restrictions.

References:

https://sysctl-explorer.net/fs/protected_hardlinks/
https://sysctl-explorer.net/fs/protected_symlinks/

* gnu/services/sysctl.scm (%default-sysctl-settings): New public variable.
* gnu/services/base.scm (%base-services): Use %default-sysctl-settings.
---
 gnu/services/base.scm   | 5 +++++
 gnu/services/sysctl.scm | 8 +++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index f6a490f712..eaa86ffb68 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -35,6 +35,7 @@
   #:use-module (gnu services)
   #:use-module (gnu services admin)
   #:use-module (gnu services shepherd)
+  #:use-module (gnu services sysctl)
   #:use-module (gnu system pam)
   #:use-module (gnu system shadow)                ; 'user-account', etc.
   #:use-module (gnu system uuid)
@@ -2532,6 +2533,10 @@ to handle."
                  (udev-configuration
                    (rules (list lvm2 fuse alsa-utils crda))))
 
+        (service sysctl-service-type
+                 (sysctl-configuration
+                   (settings %default-sysctl-settings)))
+
         (service special-files-service-type
                  `(("/bin/sh" ,(file-append bash "/bin/sh"))
                    ("/usr/bin/env" ,(file-append coreutils "/bin/env"))))))
diff --git a/gnu/services/sysctl.scm b/gnu/services/sysctl.scm
index eb7a61b2a9..dbf918eb3a 100644
--- a/gnu/services/sysctl.scm
+++ b/gnu/services/sysctl.scm
@@ -25,7 +25,8 @@
   #:use-module (srfi srfi-1)
   #:use-module (ice-9 match)
   #:export (sysctl-configuration
-            sysctl-service-type))
+            sysctl-service-type
+            %default-sysctl-settings))
 
 
 ;;;
@@ -74,3 +75,8 @@
               (settings (append (sysctl-configuration-settings config)
                                 settings)))))
    (default-value (sysctl-configuration))))
+
+(define %default-sysctl-settings
+  ;; Default kernel parameters enabled with sysctl.
+  '(("fs.protected_hardlinks" . "1")
+    ("fs.protected_symlinks" . "1")))