From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id eFC9OAoBU2CBPwAA0tVLHw (envelope-from ) for ; Thu, 18 Mar 2021 07:28:10 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id 0Ch4NAoBU2AAAgAAB5/wlQ (envelope-from ) for ; Thu, 18 Mar 2021 07:28:10 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6C59B1FBE0 for ; Thu, 18 Mar 2021 08:28:10 +0100 (CET) Received: from localhost ([::1]:35866 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMn4j-0003ld-KX for larch@yhetil.org; Thu, 18 Mar 2021 03:28:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:42730) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMn4c-0003lT-LF for guix-patches@gnu.org; Thu, 18 Mar 2021 03:28:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:33317) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lMn4c-00074z-ED for guix-patches@gnu.org; Thu, 18 Mar 2021 03:28:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lMn4c-0004xb-BJ for guix-patches@gnu.org; Thu, 18 Mar 2021 03:28:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#47013] [PATCH] gnu: Harden filesystem links. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 18 Mar 2021 07:28:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47013 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 47013@debbugs.gnu.org Received: via spool by 47013-submit@debbugs.gnu.org id=B47013.161605243119002 (code B ref 47013); Thu, 18 Mar 2021 07:28:02 +0000 Received: (at 47013) by debbugs.gnu.org; 18 Mar 2021 07:27:11 +0000 Received: from localhost ([127.0.0.1]:44863 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMn3n-0004wQ-51 for submit@debbugs.gnu.org; Thu, 18 Mar 2021 03:27:11 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:35993) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMn3k-0004wB-IX for 47013@debbugs.gnu.org; Thu, 18 Mar 2021 03:27:10 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 5197E5C0092; Thu, 18 Mar 2021 03:27:03 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Thu, 18 Mar 2021 03:27:03 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=UO2vJJqxV3s/E98nA96LpvnH P7FOB8gX049z0N5ruJg=; b=MWnQ0cycJ7SXF6LJLau2BGsy7Dpc1TL/VsISblvR jJ/0PC2mE7QZA7W5ASs4l3APEIbKtUap4JbyVbjk6RXZ6wr8i+Nj0yhoEtdVC75U TNOq+u/PPiJOyqyJizSM0rqtW+bUxRNd67E2PYZJS1teocJsau3cTRa2gtoCxcfc VxQ= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=UO2vJJ qxV3s/E98nA96LpvnHP7FOB8gX049z0N5ruJg=; b=cAE6J0NdT1yd5pckQ3ShTv 42amQo8wvQdvjONNJUrQndB8Hs8mQr2Y9YnHwQaSui4o+6lPnvWnL1Aaa1gQlxhd fpXII6CESPvhafQz1LaVeYiD3/uGL0ouMm96rthTXMdQYj6I7yUvoTKVYHVsEKJu KUv1d7aaiGAkeJd06ZSAmUnEdwAwgxmkOZ5Qge8Wd+VRJ7ISgdSu27DXDJy9gkEW JT7Cpfv3jufqMSAt3ylsIX6JT5XIhCHl8cImsDCJTxLyV3ciOTF2QAIJEviJ7qSV H00+wvkjgKRkUVGoETqXK3AeN5u8OVF8gTWEXjlyfjFK05nImfk5jUBjqlhWsU6A == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudefhedguddtiecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpeffhffvuffkfhggtggujgesghdtreertddtvdenucfhrhhomhepnfgvohcu hfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhirdhnrghmvgeqnecuggftrfgrth htvghrnhepudekveegteekleetgfeitdejgfejkeffudethedvhfeukeduleeikeejfeeh ffetnecukfhppedutddtrdduuddrudeiledruddukeenucevlhhushhtvghrufhiiigvpe dtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgv X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 0FE6E24005E; Thu, 18 Mar 2021 03:27:03 -0400 (EDT) Date: Thu, 18 Mar 2021 03:27:01 -0400 From: Leo Famulari Message-ID: References: <8735wu7nf9.fsf_-_@gnu.org> <875z1pzetb.fsf_-_@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="p26BRQZhgxJdyvkD" Content-Disposition: inline In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616052490; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=UO2vJJqxV3s/E98nA96LpvnHP7FOB8gX049z0N5ruJg=; b=JvI4MLCV2f1tdg8qlHAeCFUs8pLzvHC6aHpwc6JV6X3/ZjHXcQwsO04hmU3zIxxMiYa3MG Lqy8jZ3xDiMkH6zVZ8VnINFVtVStKrYXU6X5jDZEM0mmF6R61djBnMbLQZm10fBD8pIsfP X1cbHJMd89l/EgLI0YO6Jux8okxmUyynug+oGCx8XpEylhpF40OE7iYIMAecSR9oPjFKW/ q3hiFFZ9QAtmo4r5DvlZtjKg7rzbi8HeOvfx9fCiEn/IjMlB20v7LFNFA6ZGv96zss4S+w H5d+o9r7mXZT/CwrpCaE5wL416O8wYxBUpKg8Wo8ojHIeSM56k/3fRkmxo6bYQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616052490; a=rsa-sha256; cv=none; b=f1e6zW/85HTbfjsuxO6WuyeJ/fQ6118kUs8MIp8zTqrO8GNrBSfeIPFWkneBkaTVGs7tEA 65N5QV6wwxufeZMwns5440tFYZz+5qvdSsWS9F4bz6iHKxdbMqSxPrGxHyyluOSLFDEHLl sDEIcZRRXMFPoOYbiaLLcSdSfBUpTA/CkP/tLV+QZfawYoaAlD9XFYSIWa0uPB7QKLtDDf m1KXhGYcXZ76LnQ5g6DUmdJzldQEgoQINTamFXYN1SjwS/EdtGoi0/9D2qJhlbfIIijt3A oFOvhWN2cwgrEtY9kiJ4b7I4/Cw17hUDdGZC4keplS9+HHpDXcRKGofUbmy8Cg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=MWnQ0cyc; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=cAE6J0Nd; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -3.50 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=MWnQ0cyc; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=cAE6J0Nd; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 6C59B1FBE0 X-Spam-Score: -3.50 X-Migadu-Scanner: scn0.migadu.com X-TUID: zObRRIDjOoSj --p26BRQZhgxJdyvkD Content-Type: multipart/mixed; boundary="IrZEl07SfDthq1WW" Content-Disposition: inline --IrZEl07SfDthq1WW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Mar 17, 2021 at 05:01:54PM -0400, Leo Famulari wrote: > Sure, I'll implement your suggestions and send a v5 patch. Here is the revised patch. --IrZEl07SfDthq1WW Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="0001-system-Harden-filesystem-links.patch" Content-Transfer-Encoding: quoted-printable =46rom 1817aec86076307f7b85cdc27b9ead572d0575e7 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Tue, 16 Mar 2021 21:36:36 -0400 Subject: [PATCH] system: Harden filesystem links. References: https://sysctl-explorer.net/fs/protected_hardlinks/ https://sysctl-explorer.net/fs/protected_symlinks/ * gnu/services/sysctl.scm (%default-sysctl-settings): New public variable. (): Use %default-sysctl-settings as the default value. * gnu/services/base.scm (%base-services): Add sysctl-service-type. * doc/guix.texi (Miscellaneous Services): Document the new defaults. --- doc/guix.texi | 22 +++++++++++++++++++++- gnu/services/base.scm | 3 +++ gnu/services/sysctl.scm | 10 ++++++++-- 3 files changed, 32 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 0a70ac7f11..73757be887 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -31378,6 +31378,21 @@ instantiated as: (sysctl-configuration (settings '(("net.ipv4.ip_forward" . "1"))))) @end lisp + +Since @code{sysctl-service-type} is used in the default lists of +services, @code{%base-services} and @code{%desktop-services}, you can +use @code{modify-services} to change its configuration and add the +kernel parameters that you want (@pxref{Service Reference, +@code{modify-services}}). + +@lisp +(modify-services %base-services + (sysctl-service-type config =3D> + (sysctl-configuration + (settings (append '(("net.ipv4.ip_forward" . "1")) + %default-sysctl-settings))))) +@end lisp + @end defvr =20 @deftp {Data Type} sysctl-configuration @@ -31387,11 +31402,16 @@ The data type representing the configuration of @= command{sysctl}. @item @code{sysctl} (default: @code{(file-append procps "/sbin/sysctl"}) The @command{sysctl} executable to use. =20 -@item @code{settings} (default: @code{'()}) +@item @code{settings} (default: @code{%default-sysctl-settings}) An association list specifies kernel parameters and their values. @end table @end deftp =20 +@defvr {Scheme Variable} %default-sysctl-settings +An association list specifying the default @command{sysctl} parameters +on Guix System. +@end defvr + @cindex pcscd @subsubheading PC/SC Smart Card Daemon Service =20 diff --git a/gnu/services/base.scm b/gnu/services/base.scm index f6a490f712..f50bcfdcb4 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -35,6 +35,7 @@ #:use-module (gnu services) #:use-module (gnu services admin) #:use-module (gnu services shepherd) + #:use-module (gnu services sysctl) #:use-module (gnu system pam) #:use-module (gnu system shadow) ; 'user-account', etc. #:use-module (gnu system uuid) @@ -2532,6 +2533,8 @@ to handle." (udev-configuration (rules (list lvm2 fuse alsa-utils crda)))) =20 + (service sysctl-service-type) + (service special-files-service-type `(("/bin/sh" ,(file-append bash "/bin/sh")) ("/usr/bin/env" ,(file-append coreutils "/bin/env")))))) diff --git a/gnu/services/sysctl.scm b/gnu/services/sysctl.scm index eb7a61b2a9..aaea7cc30d 100644 --- a/gnu/services/sysctl.scm +++ b/gnu/services/sysctl.scm @@ -25,20 +25,26 @@ #:use-module (srfi srfi-1) #:use-module (ice-9 match) #:export (sysctl-configuration - sysctl-service-type)) + sysctl-service-type + %default-sysctl-settings)) =20 =0C ;;; ;;; System Control Service. ;;; =20 +(define %default-sysctl-settings + ;; Default kernel parameters enabled with sysctl. + '(("fs.protected_hardlinks" . "1") + ("fs.protected_symlinks" . "1"))) + (define-record-type* sysctl-configuration make-sysctl-configuration sysctl-configuration? (sysctl sysctl-configuration-sysctl ; path of the 'sysctl' command (default (file-append procps "/sbin/sysctl"))) (settings sysctl-configuration-settings ; alist of string pairs - (default '()))) + (default %default-sysctl-settings))) =20 (define (sysctl-configuration-settings->sysctl.conf settings) "Return a file for @command{sysctl} to set kernel parameters as specifie= d by --=20 2.30.2 --IrZEl07SfDthq1WW-- --p26BRQZhgxJdyvkD Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBTAMUACgkQJkb6MLrK fwj1gw/9FoUVoLN8NsY04ZMeplPZUWwMaRfag5qLsmOzBOVbNoBEy12DvdlKHPI0 sVtPwENE/qCbT52oLyR/WKl9AfvfXdW1TXqdVK2K0yMbwOlqbCvoWTe5K2gr+ymq Edq+FS4WR/0aOmz+JnnjuzSDxVJnvfpHhpqRCl7sjfNALjSGoUUIBc4I6zKl4coM EJqBJFhH5vKS5j1phcZDdwd3QdSXeER2fSUGo5JSaPaCgNoKwdLF8olbNcU2Vli4 toou/45U2Z0j8iUaF5UJa0uxa3RstdHCGyvz/5k9nvTqx/4lkC3/bXZy8zGmtmY/ mlJ8W64twCnxbqQzelpEOjH3Q/IWBHTDo1bqPiOmC9RagSCFhKpbp+CgqLgJj4ck AetejdDQNO22KG5i5VVf6XQtK85Fm/7RK4dwkgnWIIq6R8QrSQjaYtTONtbaC1+z twZi5nqjQoHKQk2CMpjIEu2zx7jHLBYQjX6eEYuVHJUW9Da4XTbQEBLymz7yObcP DP/UE3q2xWtwr1fexf0jahHZ4l0E7uUwleE3HhcJXpaZfSMQu+imAlhs1CdkySIY TBQ8uIHitBKHCI/7D8G63maV2xuWA4wvFJDG2WL6mLubaB/o8PjdYjBSjfdomaI/ RYzubCKiwA5oju6DjVIWlvXM1ss2xlaJ7HnH1yayYeGcBaLnhy4= =WAvb -----END PGP SIGNATURE----- --p26BRQZhgxJdyvkD--