From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id cP7/GH5an2LdNwAAbAwnHQ (envelope-from ) for ; Tue, 07 Jun 2022 16:02:38 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id aJXuGH5an2LhzAAA9RJhRA (envelope-from ) for ; Tue, 07 Jun 2022 16:02:38 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 719F315ED4 for ; Tue, 7 Jun 2022 16:02:34 +0200 (CEST) Received: from localhost ([::1]:51738 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nyZmz-0002di-DT for larch@yhetil.org; Tue, 07 Jun 2022 10:02:33 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44830) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nyZmV-0002aw-6b for bug-guix@gnu.org; Tue, 07 Jun 2022 10:02:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:47131) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nyZmU-0006ko-Kn for bug-guix@gnu.org; Tue, 07 Jun 2022 10:02:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1nyZmU-0002YV-Ip for bug-guix@gnu.org; Tue, 07 Jun 2022 10:02:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#54786: Installation tests are failing Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Tue, 07 Jun 2022 14:02:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 54786 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Maxim Cournoyer Cc: othacehe@gnu.org, 54786@debbugs.gnu.org Received: via spool by 54786-submit@debbugs.gnu.org id=B54786.16546104669761 (code B ref 54786); Tue, 07 Jun 2022 14:02:02 +0000 Received: (at 54786) by debbugs.gnu.org; 7 Jun 2022 14:01:06 +0000 Received: from localhost ([127.0.0.1]:41028 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nyZla-0002XL-2F for submit@debbugs.gnu.org; Tue, 07 Jun 2022 10:01:06 -0400 Received: from eggs.gnu.org ([209.51.188.92]:59370) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1nyZlX-0002Wc-R0 for 54786@debbugs.gnu.org; Tue, 07 Jun 2022 10:01:04 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:36284) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nyZlR-0006Ss-HE; Tue, 07 Jun 2022 10:00:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=wLcdn/q3ElBmO5rmBo9gdoM4iKrzhEK0nxio6dgYfS8=; b=RtAtZ2w4k4F8ybjs/owh A8EGmfNHSP7HgRzgoa6tFiecP+qWiMEUT/WBNtaqDhhON+Ttb3vAhHX0zl+VRmbi/8DkXQsbUH/ke 3ZzxqZTJ/KTmApDrOz5qEAe/aLa+VV8iJQe/ODMbLFysN3+eRLGJDER4oX6NNYhdgXuOGuwfYFmZf V/SKZdphBU/Kez2vCtv4f3W+EzsyFlkre6KpFTRxI13pXll+XKDxUvRYpS/xG/0VF6/LNRi3SZp5l a1y6Poe4pnf/HZ1bq7Ibj9zeCHKaheIGKj1fOD+x3WYyLVmYkgTCAOG/Vr4ml9ASizzy+rm6x1L7w m/hh01nyN92GvQ==; Received: from [193.50.110.183] (port=38722 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nyZlQ-00078e-ND; Tue, 07 Jun 2022 10:00:57 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <878rql9wh9.fsf@gnu.org> <20220531164407.13914-1-maxim.cournoyer@gmail.com> <87o7zcwvy6.fsf_-_@gnu.org> <878rqgr0l4.fsf@gmail.com> <8735gnqkcp.fsf@gnu.org> <877d5zx9jt.fsf@gmail.com> <87v8tilrsh.fsf@gnu.org> <874k11ujqq.fsf@gmail.com> X-URL: http://www.fdn.fr/~lcourtes/ X-Revolutionary-Date: Nonidi 19 Prairial an 230 de la =?UTF-8?Q?R=C3=A9volution, ?= jour du Tilleul X-PGP-Key-ID: 0x090B11993D9AEBB5 X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4 0CFB 090B 1199 3D9A EBB5 X-OS: x86_64-pc-linux-gnu Date: Tue, 07 Jun 2022 16:00:54 +0200 In-Reply-To: <874k11ujqq.fsf@gmail.com> (Maxim Cournoyer's message of "Sat, 04 Jun 2022 00:37:33 -0400") Message-ID: <877d5sbmjt.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1654610554; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=wLcdn/q3ElBmO5rmBo9gdoM4iKrzhEK0nxio6dgYfS8=; b=cEBBsU91iX833w8HaaEEnm0oAmZdUeW15TB6ewbT3FipSQwX8hhrPWUNyF/78fhWHOyWwz Bq8qDA5EVZMe1WoaEtIsNMo0oVk87+OBeQhP3ZfS+zqUGmpDlMNbN6nDbuOlNHJyVr7AAD endKiL7juB6Kol0Xrkg09bbeSFBrS8d6eNU0zVnr2fPBH4yZev/zl4oKJShj+z4fwBxc+f JUNEvAWsa5qsUWUEH19irLFtVQjn8mO2NKr3BtgWIlxgUsojX6FyTN63FHQ/WWcagX8HCO ScF4pRVmtN1PvGrtgpvftK4yq58wsTa2e/UGOttlLbJRC4Bmx3477ZTEiYNkNA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1654610554; a=rsa-sha256; cv=none; b=SWeGIppUv2KaD4NMylPru5e4+vWTGB+Dm1a7AwO7Qo03CFJ2AaTX52IbbhAERgSyBc0PTi 1ML8KtcuKoHG6Lp57qhqggHZ79GnJqhswDzS/XB1rZUcMcwm4PgEAna2NggrtPDBjWkyjW YRqbFE7uODj+WBv6K8KyTy0J+VPvCemk50lGp7o604bZw4NUQspNnZqEDvruMogPa3mE9Z sXf1ALD+08HQ4ndTV2BjHq2wPS2LqBpKzxTecVreVeO5DyT7CrEsBipHVBmn72bR2EjKiE bBD4hRLWZMogcNekgw44N+SipFyNID79QtAbMCXKzvlEcDaaxWIxDShTTa8XQA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=RtAtZ2w4; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: -4.21 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gnu.org header.s=fencepost-gnu-org header.b=RtAtZ2w4; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 719F315ED4 X-Spam-Score: -4.21 X-Migadu-Scanner: scn0.migadu.com X-TUID: YjQ7f14gI1fi Hi! Maxim Cournoyer skribis: > Ludovic Court=C3=A8s writes: [...] >>> I reviewed how that works, and it'd be easy; I just didn't see the >>> incentive yet (there's no composition needed for the service, and it'd >>> make the definition slightly less readable). If you tell me >>> mark+forkexec-constructor/container is going the way of the Dodo though, >>> that's a good enough incentive :-). > > That turns out to be bit problematic; dbus-daemon must not run in its > own user namespace (CLONE_NEWUSER) as it wants to validate user/group > IDs. That's probably the reason it was working with > 'make-forkexec-constructor/container', as this was dropping the user and > net namespaces, contrary to least-authority, which uses them all. > > The problem then seems to be that since we need CAP_SYS_ADMIN when > dropping the user namespace, as CLONE_NEWUSER is what gives us > superpowers. Per 'man user_namespaces': > > The child process created by clone(2) with the CLONE_NEWUSER flag starts > out with a complete set of capabilities in the new user namespace. > > Which means that if we combine something like (untested): > > (make-forkexec-constructor > (least-authority > (list (file-append coreutils "/bin/true")) > (mappings (delq 'user %namespaces)) > #:user "nobody" > #:group "nobody")) > > the make-forkexec-constructor will switch to the non-privileged user > before the clone call is made, and it will fail with EPERM. > > When using 'make-forkexec-constructor/container', the clone(2) call > happens before switching user, thus as 'root' in Shepherd, which > explains why it works. Damnit, that=E2=80=99s right. For example the result of: (lower-object (least-authority-wrapper (file-append coreutils "/bin/unam= e") #:namespaces (delq 'user %namespa= ces))) won=E2=80=99t run as an unprivileged user: --8<---------------cut here---------------start------------->8--- $ $(guix build /gnu/store/hy8rd8p8pid67ac27dwm63svl5bqn0a1-pola-wrapper.drv) substitute: updating substitutes from 'https://ci.guix.gnu.org'... 100.0% substitute: updating substitutes from 'https://bordeaux.guix.gnu.org'... 10= 0.0% substitute: updating substitutes from 'https://guix.bordeaux.inria.fr'... 1= 00.0% The following derivations will be built: /gnu/store/hy8rd8p8pid67ac27dwm63svl5bqn0a1-pola-wrapper.drv /gnu/store/bd63i07rvvsw7xgsig0cbdsw7fpznd1k-references.drv building /gnu/store/bd63i07rvvsw7xgsig0cbdsw7fpznd1k-references.drv... successfully built /gnu/store/bd63i07rvvsw7xgsig0cbdsw7fpznd1k-references.d= rv building /gnu/store/hy8rd8p8pid67ac27dwm63svl5bqn0a1-pola-wrapper.drv... successfully built /gnu/store/hy8rd8p8pid67ac27dwm63svl5bqn0a1-pola-wrapper= .drv Backtrace: 5 (primitive-load "/gnu/store/ifsh87aifh2k8pqzhkjxncq3vskpwx3l-p= ola-wrapper") In ice-9/eval.scm: 191:35 4 (_ #f) In gnu/build/linux-container.scm: 300:8 3 (call-with-temporary-directory #) 397:16 2 (_ "/tmp/guix-directory.K9gBNH") 239:7 1 (run-container "/tmp/guix-directory.K9gBNH" (#< d= evice: "/gnu/store/jkjs0inmzhj4vsvclbf08nmh0shm7lrf-attr-2.5=E2=80=A6> =E2= =80=A6) =E2=80=A6) In guix/build/syscalls.scm: 1099:12 0 (_ 1845624849) guix/build/syscalls.scm:1099:12: In procedure clone: 1845624849: Operation = not permitted --8<---------------cut here---------------end--------------->8--- > I'm not sure how it could be fixed; it seems the user changing business > would need to be handled by the least-authority-wrapper code? And the > make-forkexec-constructor would probably need to detect that command is > a pola wrapper and then avoid changing the user/group itself to not > interfere. I think we would add #:user and #:group to =E2=80=98least-authority-wrapper= =E2=80=99 and have it call setuid/setgid. =E2=80=98make-forkexec-constructor=E2=80=99 do= esn=E2=80=99t need to be modified, but the user simply won=E2=80=99t pass #:user and #:group to i= t. Thanks, Ludo=E2=80=99.