From: "Ludovic Courtès" <ludo@gnu.org>
To: 67175@debbugs.gnu.org
Cc: "Ludovic Courtès" <ludo@gnu.org>,
"Maxim Cournoyer" <maxim.cournoyer@gmail.com>
Subject: [bug#67175] [PATCH 6/9] services: jami-dbus-session: Use ‘least-authority-wrapper’.
Date: Tue, 14 Nov 2023 15:09:15 +0100 [thread overview]
Message-ID: <05c3a9993783b02b89083b1ae0562a79af4c61b2.1699970930.git.ludo@gnu.org> (raw)
In-Reply-To: <cover.1699970930.git.ludo@gnu.org>
* gnu/services/telephony.scm (jami-shepherd-services): Use
‘least-authority-wrapper’ for ‘dbus-daemon’. Use ‘fork+exec-command’
instead of ‘make-forkexec-constructor/container’ in the ‘start’ method’.
Remove reference to (gnu build shepherd).
Change-Id: I9d9f8de6ecea77950000ff64aa8c8d097dc028a0
---
gnu/services/telephony.scm | 66 +++++++++++++++++++++++++-------------
1 file changed, 43 insertions(+), 23 deletions(-)
diff --git a/gnu/services/telephony.scm b/gnu/services/telephony.scm
index c9b5d6cd99..832470527d 100644
--- a/gnu/services/telephony.scm
+++ b/gnu/services/telephony.scm
@@ -34,6 +34,9 @@ (define-module (gnu services telephony)
#:use-module (guix modules)
#:use-module (guix packages)
#:use-module (guix gexp)
+ #:autoload (guix least-authority) (least-authority-wrapper)
+ #:autoload (gnu system file-systems) (file-system-mapping)
+ #:autoload (gnu build linux-container) (%namespaces)
#:use-module (srfi srfi-1)
#:use-module (srfi srfi-2)
#:use-module (srfi srfi-26)
@@ -298,7 +301,28 @@ (define (jami-shepherd-services config)
(let* ((libjami (jami-configuration-libjami config))
(nss-certs (jami-configuration-nss-certs config))
(dbus (jami-configuration-dbus config))
- (dbus-daemon (file-append dbus "/bin/dbus-daemon"))
+ (dbus-daemon (least-authority-wrapper
+ (file-append dbus "/bin/dbus-daemon")
+ #:name "dbus-daemon"
+ #:user "jami"
+ #:group "jami"
+ #:preserved-environment-variables
+ '("XDG_DATA_DIRS")
+ #:mappings
+ (list (file-system-mapping
+ (source "/dev/log") ;for syslog
+ (target source))
+ (file-system-mapping
+ (source "/var/run/jami")
+ (target source)
+ (writable? #t))
+ (file-system-mapping
+ (source (gexp-input libjami "bin"))
+ (target source)))
+ ;; 'dbus-daemon' wants to look up users in /etc/passwd
+ ;; so run it in the global user namespace.
+ #:namespaces
+ (fold delq %namespaces '(net user))))
(accounts (jami-configuration-accounts config))
(declarative-mode? (maybe-value-set? accounts)))
@@ -490,8 +514,7 @@ (define (jami-shepherd-services config)
(list (shepherd-service
(documentation "Run a D-Bus session for the Jami daemon.")
(provision '(jami-dbus-session))
- (modules `((gnu build shepherd)
- (gnu build dbus-service)
+ (modules `((gnu build dbus-service)
(gnu build jami-service)
(gnu system file-systems)
,@%default-modules))
@@ -499,26 +522,23 @@ (define (jami-shepherd-services config)
;; activation for D-Bus, such as a /etc/machine-id file.
(requirement '(dbus-system syslogd))
(start
- #~(make-forkexec-constructor/container
- (list #$dbus-daemon "--session"
- "--address=unix:path=/var/run/jami/bus"
- "--syslog-only")
- #:pid-file "/var/run/jami/pid"
- #:mappings
- (list (file-system-mapping
- (source "/dev/log") ;for syslog
- (target source))
- (file-system-mapping
- (source "/var/run/jami")
- (target source)
- (writable? #t)))
- #:user "jami"
- #:group "jami"
- #:environment-variables
- ;; This is so that the cx.ring.Ring service D-Bus
- ;; definition is found by dbus-daemon.
- (list (string-append "XDG_DATA_DIRS="
- #$libjami:bin "/share"))))
+ #~(lambda ()
+ (define pid
+ (fork+exec-command
+ (list #$dbus-daemon "--session"
+ "--address=unix:path=/var/run/jami/bus"
+ "--syslog-only")
+ #:environment-variables
+ ;; This is so that the cx.ring.Ring service D-Bus
+ ;; definition is found by dbus-daemon.
+ (list (string-append "XDG_DATA_DIRS="
+ #$libjami:bin "/share"))))
+
+ ;; The PID file contains the "wrong" PID (the one in the
+ ;; separate PID namespace) so ignore it and return the
+ ;; value returned by 'fork+exec-command'.
+ (and (read-pid-file "/var/run/jami/pid")
+ pid)))
(stop #~(make-kill-destructor)))
(shepherd-service
--
2.41.0
next prev parent reply other threads:[~2023-11-14 14:11 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <cover.1699970930.git.ludo@gnu.org>
2023-11-14 14:09 ` [bug#67175] [PATCH 1/9] services: pagekite: Use ‘least-authority-wrapper’ Ludovic Courtès
2023-11-14 14:09 ` [bug#67175] [PATCH 2/9] services: pagekite: Add ‘configuration’ action Ludovic Courtès
2023-11-14 14:09 ` [bug#67175] [PATCH 3/9] services: bitlbee: Remove use of ‘make-forkexec-constructor/container’ Ludovic Courtès
2023-11-14 14:09 ` [bug#67175] [PATCH 4/9] least-authority: Add support for changing UIDs/GIDs before exec Ludovic Courtès
2023-12-04 2:13 ` Maxim Cournoyer
2023-12-21 22:13 ` Ludovic Courtès
2023-11-14 14:09 ` [bug#67175] [PATCH 5/9] tests: jami: Check status of Jami D-Bus session Ludovic Courtès
2023-12-04 1:43 ` Maxim Cournoyer
2023-11-14 14:09 ` Ludovic Courtès [this message]
2023-12-04 1:45 ` [bug#67175] [PATCH 6/9] services: jami-dbus-session: Use ‘least-authority-wrapper’ Maxim Cournoyer
2023-11-14 14:09 ` [bug#67175] [PATCH 7/9] services: jami: " Ludovic Courtès
2023-12-04 1:38 ` Maxim Cournoyer
2023-12-21 22:16 ` Ludovic Courtès
2023-12-21 23:42 ` bug#67175: " Ludovic Courtès
2023-11-14 14:09 ` [bug#67175] [PATCH 8/9] services: Remove unnecessary references to (gnu build shepherd) Ludovic Courtès
2023-11-14 14:09 ` [bug#67175] [PATCH 9/9] shepherd: Remove ‘make-forkexec-constructor/container’ Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=05c3a9993783b02b89083b1ae0562a79af4c61b2.1699970930.git.ludo@gnu.org \
--to=ludo@gnu.org \
--cc=67175@debbugs.gnu.org \
--cc=maxim.cournoyer@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).