From 38f1aaf8b44739ccfb1f824c7fb85d4dc6b5d991 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Mon, 15 Mar 2021 14:51:52 -0400 Subject: [PATCH 1/2] services: sysctl: Add a service to set default kernel parameters. * gnu/services/sysctl.scm (default-sysctl-settings-service-type): New public variable. * doc/guix.texi (Miscellaneous Services): Document it. Co-authored-by: Julien Lepiller --- doc/guix.texi | 4 ++++ gnu/services/sysctl.scm | 13 ++++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/doc/guix.texi b/doc/guix.texi index 3e7ffc81bc..d468c6f742 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -31419,6 +31419,10 @@ An association list specifies kernel parameters and their values. @end table @end deftp +@defvr {Scheme Variable} default-sysctl-settings-service-type +The service type used to set default kernel parameters. +@end defvr + @cindex pcscd @subsubheading PC/SC Smart Card Daemon Service diff --git a/gnu/services/sysctl.scm b/gnu/services/sysctl.scm index eb7a61b2a9..83704084c3 100644 --- a/gnu/services/sysctl.scm +++ b/gnu/services/sysctl.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2017 Sou Bunnbu +;;; Copyright © 2021 Leo Famulari ;;; ;;; This file is part of GNU Guix. ;;; @@ -25,7 +26,8 @@ #:use-module (srfi srfi-1) #:use-module (ice-9 match) #:export (sysctl-configuration - sysctl-service-type)) + sysctl-service-type + default-sysctl-settings-service-type)) ;;; @@ -74,3 +76,12 @@ (settings (append (sysctl-configuration-settings config) settings))))) (default-value (sysctl-configuration)))) + +(define default-sysctl-settings-service-type +; "Return a service that is used to set default kernel parameters for Guix +; System." + (service-type + (name 'default-sysctl-settings) + (extensions + (list (service-extension sysctl-service-type + identity))))) -- 2.30.2 From 3040f0bb33439f041eed85e8c8e80bb52d6277cc Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Mon, 15 Mar 2021 14:31:48 -0400 Subject: [PATCH 2/2] system: Harden filesystem links. These sysctl options are enabled on most GNU/Linux distros, including Debian, Fedora, NixOS, and OpenSUSE. I've tested this options on Guix System for several weeks, and they don't appear to break anything. Plus, we know that Guix works on other distros that enable these restrictions. References: https://sysctl-explorer.net/fs/protected_hardlinks/ https://sysctl-explorer.net/fs/protected_symlinks/ * gnu/services/base.scm (%base-services): Add default-sysctl-settings-service-type. --- gnu/services/base.scm | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index f6a490f712..646ad800f4 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -3,7 +3,7 @@ ;;; Copyright © 2015, 2016 Alex Kost ;;; Copyright © 2015, 2016, 2020 Mark H Weaver ;;; Copyright © 2015 Sou Bunnbu -;;; Copyright © 2016, 2017 Leo Famulari +;;; Copyright © 2016, 2017, 2021 Leo Famulari ;;; Copyright © 2016 David Craven ;;; Copyright © 2016 Ricardo Wurmus ;;; Copyright © 2018 Mathieu Othacehe @@ -35,6 +35,7 @@ #:use-module (gnu services) #:use-module (gnu services admin) #:use-module (gnu services shepherd) + #:use-module (gnu services sysctl) #:use-module (gnu system pam) #:use-module (gnu system shadow) ; 'user-account', etc. #:use-module (gnu system uuid) @@ -2532,6 +2533,10 @@ to handle." (udev-configuration (rules (list lvm2 fuse alsa-utils crda)))) + (service default-sysctl-settings-service-type + '(("fs.protected_hardlinks" . "1") + ("fs.protected_symlinks" . "1"))) + (service special-files-service-type `(("/bin/sh" ,(file-append bash "/bin/sh")) ("/usr/bin/env" ,(file-append coreutils "/bin/env")))))) -- 2.30.2