From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id AClPChjuzGBxlQAAgWs5BA (envelope-from ) for ; Fri, 18 Jun 2021 21:03:52 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id mIM4BhjuzGClHAAA1q6Kng (envelope-from ) for ; Fri, 18 Jun 2021 19:03:52 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E4BA1155C5 for ; Fri, 18 Jun 2021 21:03:51 +0200 (CEST) Received: from localhost ([::1]:59816 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1luJmQ-0000u0-Ki for larch@yhetil.org; Fri, 18 Jun 2021 15:03:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:54460) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1luJle-0000SH-DZ for guix-patches@gnu.org; Fri, 18 Jun 2021 15:03:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:46671) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1luJle-0001oo-6U for guix-patches@gnu.org; Fri, 18 Jun 2021 15:03:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1luJle-0001DQ-4D for guix-patches@gnu.org; Fri, 18 Jun 2021 15:03:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#48729] [PATCH v5 25/25] services: Add bitmask-service-type. Resent-From: Maxime Devos Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 18 Jun 2021 19:03:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48729 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Raghav Gururajan , 48729@debbugs.gnu.org Received: via spool by 48729-submit@debbugs.gnu.org id=B48729.16240429694488 (code B ref 48729); Fri, 18 Jun 2021 19:03:02 +0000 Received: (at 48729) by debbugs.gnu.org; 18 Jun 2021 19:02:49 +0000 Received: from localhost ([127.0.0.1]:58217 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1luJlR-0001AB-HN for submit@debbugs.gnu.org; Fri, 18 Jun 2021 15:02:49 -0400 Received: from albert.telenet-ops.be ([195.130.137.90]:40800) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1luJlP-00018d-QX for 48729@debbugs.gnu.org; Fri, 18 Jun 2021 15:02:48 -0400 Received: from butterfly.local ([213.119.219.214]) by albert.telenet-ops.be with bizsmtp id Jj2l250074e8Tal06j2ldc; Fri, 18 Jun 2021 21:02:46 +0200 Message-ID: From: Maxime Devos Date: Fri, 18 Jun 2021 21:02:39 +0200 In-Reply-To: <20210618065416.22391-25-rg@raghavgururajan.name> References: <20210618065416.22391-14-rg@raghavgururajan.name> <20210618065416.22391-25-rg@raghavgururajan.name> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-rFnkaYZA/8js0t/7qXqX" User-Agent: Evolution 3.34.2 MIME-Version: 1.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telenet.be; s=r21; t=1624042966; bh=DJPrOQ2sE6Y/U/JfLwvEwbJbEncTPXAPD3LPAKLxiD8=; h=Subject:From:To:Date:In-Reply-To:References; b=RHUl3dgLpWqUshicxKJokIO/vvOcm/qd2SFMdeJZ436pQnk3Jyz61ZsSQwHc6X3Jv OaDSFp2XCWcLOOVF6KGMWTlwqI0FL3P03H+pKOLXa+K6jJNWpWQCCDpJEnmn4bs0ip DZY+J6ay78avs+amUVMmuuPTt3ruGTzwSWjbDkU8999of41KYmw/45OLrFjmrqEB8v C3tPVi4eiMnqy7l2AjXSJ1b4t+OTwc+qAjDFT5mrfeBbwPjrtEDnZWyEffJmvUUSy+ fZTf01Jd6WeWQilB4Ex8dPgOEJNjFVx1pfskJR4U6Mww+Tqrrkbc+cE9fYnDyRic0L E+f06uGneYVUQ== X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -4.00 Authentication-Results: aspmx1.migadu.com; none X-Migadu-Queue-Id: E4BA1155C5 X-Spam-Score: -4.00 X-Migadu-Scanner: scn0.migadu.com X-TUID: j6Q+8yVmLfPb --=-rFnkaYZA/8js0t/7qXqX Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Raghav Gururajan via Guix-patches via schreef op vr 18-06-2021 om 02:54 [-0= 400]: > +;;; > +;;; Bitmask VPN > +;;; > + > +(define-public bitmask-service-type > + (service-type > + (name 'bitmask) > + (description "Setup the @uref{https://bitmask.net, Bitmask} VPN appli= cation.") > + (default-value bitmask) > + (extensions > + (list > + ;; To configure polkit policy of bitmask. > + (service-extension polkit-service-type list) > + ;; To add bitmask to the system profile. > + (service-extension profile-service-type list))))) Is there any specific reason that bitmask must be added to the profile? On a multi-user system, not all users might be interested in bitmask, and do not need it in their "PATH". I prefer only adding packages that are explicitely in the =E2=80=98packages= =E2=80=99 field of 'operating-system' to the system profile. One possible reason could be that the polkit policy whitelists a few binaries, say, /gnu/store/aaa-bitmask/sbin/stuff, so "pkexec stuff" (equivalent to "pkexec /gnu/store/aaa-bitmask/sbin/stuff") doesn't require special permissions or a password of any kind. However, if the user has a slightly different version of bitmask in their profile, then the store path will be different (/gnu/store/bbb-bitmask/sbin/stuff), then "pkexec stuff" will try to use the not-authorised version, which will require passwords or such. For example, my current system generation and user profile were made by a different version of Guix, and as a result, have two separate store paths for "mate-power-backlight-helper". If I run pkexec on the store path in /run/current-system/etc/polkit-1/actions/org.mate.power.policy, then it succeeds. But if I simply run "pkexec mate-power-backlight-helper", then it asks for authentication. (Actually, /run/current-system/profile/sbin/mate-power-backlight-helper poi= nts to a binary with yet another store path, but that has nothing to do with bitmask-service-type.) (TODO to self: modify "pkexec" to support an --action-id argument, in order to avoid store paths ...) Greetings, Maxime. --=-rFnkaYZA/8js0t/7qXqX Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iI0EABYKADUWIQTB8z7iDFKP233XAR9J4+4iGRcl7gUCYMztzxccbWF4aW1lZGV2 b3NAdGVsZW5ldC5iZQAKCRBJ4+4iGRcl7lyzAQCLXoBvd+pImbVGybzd1iOUgq1/ 6YvG2xT7Kjqoemm84wD/QgpSe8Ca4ybO8iTx2FiqWAPfoGEFXqx96J/AXQ22mAY= =hgNH -----END PGP SIGNATURE----- --=-rFnkaYZA/8js0t/7qXqX--