From 1e3bd831899a4ec9dfa7199a381421adbfe0dcf7 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Fri, 12 Mar 2021 17:03:26 -0500 Subject: [PATCH] system: Harden filesystem links. These sysctl options are enabled on most GNU/Linux distros, including Debian, Fedora, NixOS, and OpenSUSE. I've tested this patch on Guix System for several weeks, and it doesn't appear to break anything. Plus, we know that Guix works on other distros that enable these restrictions. References: https://sysctl-explorer.net/fs/protected_hardlinks/ https://sysctl-explorer.net/fs/protected_symlinks/ * gnu/services/base.scm (default-sysctl-settings): New variable. (%base-services): Add default-sysctl-settings. --- gnu/services/base.scm | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index f6a490f712..64aac36401 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -35,6 +35,7 @@ #:use-module (gnu services) #:use-module (gnu services admin) #:use-module (gnu services shepherd) + #:use-module (gnu services sysctl) #:use-module (gnu system pam) #:use-module (gnu system shadow) ; 'user-account', etc. #:use-module (gnu system uuid) @@ -2484,6 +2485,11 @@ to handle." (requirement requirement) (name-servers name-servers))))) +(define (default-sysctl-settings default-settings) + (simple-service 'base-sysctl-settings + sysctl-service-type + default-settings)) + (define %base-services ;; Convenience variable holding the basic services. @@ -2532,6 +2538,10 @@ to handle." (udev-configuration (rules (list lvm2 fuse alsa-utils crda)))) + (default-sysctl-settings + '(("fs.protected_hardlinks" . "1") + ("fs.protected_symlinks" . "1"))) + (service special-files-service-type `(("/bin/sh" ,(file-append bash "/bin/sh")) ("/usr/bin/env" ,(file-append coreutils "/bin/env")))))) -- 2.30.2