From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <guix-patches-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id WDW+LD+ORmB+HQAA0tVLHw
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 08 Mar 2021 20:51:11 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id YCWTKD+ORmCHFQAAB5/wlQ
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Mon, 08 Mar 2021 20:51:11 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id ADF3126373
	for <larch@yhetil.org>; Mon,  8 Mar 2021 21:51:09 +0100 (CET)
Received: from localhost ([::1]:44146 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <guix-patches-bounces+larch=yhetil.org@gnu.org>)
	id 1lJMqK-0003Ul-NQ
	for larch@yhetil.org; Mon, 08 Mar 2021 15:51:08 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:40020)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lJMqE-0003Tu-9w
 for guix-patches@gnu.org; Mon, 08 Mar 2021 15:51:02 -0500
Received: from debbugs.gnu.org ([209.51.188.43]:33459)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
 id 1lJMqE-0000dy-30
 for guix-patches@gnu.org; Mon, 08 Mar 2021 15:51:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
 (envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1lJMqE-0002eF-2F
 for guix-patches@gnu.org; Mon, 08 Mar 2021 15:51:02 -0500
X-Loop: help-debbugs@gnu.org
Subject: [bug#47013] [PATCH] gnu: Harden filesystem links.
Resent-From: Leo Famulari <leo@famulari.name>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
Resent-CC: guix-patches@gnu.org
Resent-Date: Mon, 08 Mar 2021 20:51:01 +0000
Resent-Message-ID: <handler.47013.B.161523663910147@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 47013
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 47013@debbugs.gnu.org
X-Debbugs-Original-To: guix-patches@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.161523663910147
 (code B ref -1); Mon, 08 Mar 2021 20:51:01 +0000
Received: (at submit) by debbugs.gnu.org; 8 Mar 2021 20:50:39 +0000
Received: from localhost ([127.0.0.1]:45005 helo=debbugs.gnu.org)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
 id 1lJMpm-0002dX-0T
 for submit@debbugs.gnu.org; Mon, 08 Mar 2021 15:50:39 -0500
Received: from lists.gnu.org ([209.51.188.17]:45320)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@famulari.name>) id 1lJMpg-0002dJ-VY
 for submit@debbugs.gnu.org; Mon, 08 Mar 2021 15:50:32 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:39850)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1lJMpc-0003E8-01
 for guix-patches@gnu.org; Mon, 08 Mar 2021 15:50:28 -0500
Received: from out3-smtp.messagingengine.com ([66.111.4.27]:35627)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@famulari.name>) id 1lJMpO-0000JA-Tt
 for guix-patches@gnu.org; Mon, 08 Mar 2021 15:50:18 -0500
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 512A75C0121;
 Mon,  8 Mar 2021 15:50:09 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163])
 by compute4.internal (MEProxy); Mon, 08 Mar 2021 15:50:09 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=from:to:subject:date:message-id:mime-version:content-type
 :content-transfer-encoding; s=mesmtp; bh=8zTuNoG+rWAaQqBD8BqnrRA
 OAEkP7y1Fcx3Lc0Z3Pvs=; b=x1eWo/m0w3VqKaN/hJ+hGkRtgpWXK8KYqLjV/RO
 8cY8rCjlhg5XccHkAnwUyZewfcxu6zauebWq5/lqCzD3VA0fW7m5xXoNtVOKAyl4
 da76o1pMmr1hfb020Sv5TzLDJgBBBZ+B1svH1hFLl3eTXwhRbI6g5mpwSNUm5Epx
 qj6A=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-transfer-encoding:content-type
 :date:from:message-id:mime-version:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=8zTuNo
 G+rWAaQqBD8BqnrRAOAEkP7y1Fcx3Lc0Z3Pvs=; b=mM7hMnDai6okzBsiTTLtzG
 DKvXlmhJGrE4wm7DgIUwKDq4ajvixnD4xvlYKBnWHRGbqV/L6yugqzPxXZ1+F4C2
 s7Ww7JgOmBHlzWx16CJXfxbf9eZoHkv9raiuvv4n1lpoBWbOV5U7TFLWnffo8NZM
 jIcdmr37K9spefB2D7vSIPoJY6cqlXlTVKDTBkBNKLg6cOt9i4kj8sM1zmoQBS8c
 TCXA/o9FlPWisZxyoOUxQPZ6KouMl8HdXR5cj/aPPoc/6EXVcUgudM8YZZr+cSYI
 vD2GEL2aRnLCfPMg29EOJEruSn9oJaU82mNAfZYFReQ1KqANpfwmxXuEKPClrvfQ
 ==
X-ME-Sender: <xms:AY5GYL7cCkRJpWDfEH5RdaulDaxqoSHYebhKM_q2g2plm-yVlsMDog>
 <xme:AY5GYOeMXum0LTWlC-8pMFlwz4xLBRt1yONxblEaDWWYvAPl82vLRYw-36FVwHhEU
 TKeP8gS9iWTyogWbg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledruddugedgjeehucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffufffkofggtgfgsehtkeertd
 ertdejnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhlrghr
 ihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpedtfedvlefftefhtdeffeegkeevjeettd
 fgheehgfevffehhfeivdehueeujeeifeenucffohhmrghinhepshihshgtthhlqdgvgihp
 lhhorhgvrhdrnhgvthenucfkphepuddttddruddurdduieelrdduudeknecuvehluhhsth
 gvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgr
 rhhirdhnrghmvg
X-ME-Proxy: <xmx:AY5GYI72fBVkLTysOAaX7nUIaK6frBcEPNQKbNoBSnT85mmJMpn9hg>
 <xmx:AY5GYNtiVSLa32gbkkqYDnYsrhyjjtBwK3g9RziL-JQst-vWDYWogw>
 <xmx:AY5GYAg5XbPl1MBPWNRq7QFt7th_PVuP8svWW7u97qjrWA2XSaAEzQ>
 <xmx:AY5GYEZ0DZmPewikqjuf8UpIJwNrj11ft622VFks9HqKQHaduurt1g>
Received: from jasmine.lan (pool-100-11-169-118.phlapa.fios.verizon.net
 [100.11.169.118])
 by mail.messagingengine.com (Postfix) with ESMTPA id 2FF4B108005F
 for <guix-patches@gnu.org>; Mon,  8 Mar 2021 15:50:09 -0500 (EST)
From: Leo Famulari <leo@famulari.name>
Date: Mon,  8 Mar 2021 15:50:03 -0500
Message-Id: <7072c80a192f3c136cb70da4a0662d77ce508b56.1615236603.git.leo@famulari.name>
X-Mailer: git-send-email 2.30.1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=66.111.4.27; envelope-from=leo@famulari.name;
 helo=out3-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
X-BeenThere: guix-patches@gnu.org
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/guix-patches>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
 <mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1615236671;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:resent-cc:
	 resent-from:resent-sender:resent-message-id:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post:dkim-signature;
	bh=8zTuNoG+rWAaQqBD8BqnrRAOAEkP7y1Fcx3Lc0Z3Pvs=;
	b=Qk7PfI5CaXfAfvtzRq6dzNbPUylPcUPxkSNBKX2snjOr3hyrh6a6lF7ZPL+OIzcI0LVinx
	98vZIRFI/hha/n5q9cM4OuOT4KQGyGetu4VkB0DxCqVYWDKS6S9Z5m1/YrO7Qv/aOlb9RO
	JMXh7N7EpOoTDkJd+VAkWBXEctoB8AN9MWoXaSgQGVXWiGhcMxvXilFiaLK9q6Wjb6HhY4
	Usvn3i+sC37Am53RxLqNu5tAknwV6hK9VfmNouZ9LeA6tmyUxurq7b40Y2j84EIaNKkTDQ
	mq6d6LRS2YOUAcaxHWRegMUK2HLSyDWMFvNzIA13N6NNAq69cXvQW2Q8argZTA==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615236671; a=rsa-sha256; cv=none;
	b=J/FZyOd4vuGL5pZua2Xy8C8JatTskR/YotbBqzL6uBU1jhdp7SgfAtOjp36kcTOtGvMD3h
	M0vray4TGepG0bClJzGUPCDmCF+PBPT641aumlkOGgsVPeCcuRDC16XlXjg2wCGg1ZK02t
	df4cEmHsNXuJkY4yzPE+hb7h44O2eXFYb7o5KJ68+2FgF+mf12hRxRn+oLrCuP0oKDjOBL
	QjwTLxcllZuibBl8es9/5NiTFyqCYo4WLkFxqxcteTRZKkjSdCV/7wd13mqLDa/+WauNr7
	A0IL7lBDRXDVHzdxygkSKCOi6nhJhkD+WMFv4qMVbi7Oo7Yp2b/mFPbX45sICQ==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b="x1eWo/m0";
	dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=mM7hMnDa;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org
X-Migadu-Spam-Score: -0.38
Authentication-Results: aspmx1.migadu.com;
	dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b="x1eWo/m0";
	dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=mM7hMnDa;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org
X-Migadu-Queue-Id: ADF3126373
X-Spam-Score: -0.38
X-Migadu-Scanner: scn0.migadu.com
X-TUID: bO5zWTxU6wTb

These sysctl options are enabled on most GNU/Linux distros, including
Debian, Fedora, NixOS, and OpenSUSE.

I've tested this patch on Guix System for several weeks, and it doesn't
appear to break anything. Plus, we know that Guix works on other distros
that enable these restrictions.

References:

https://sysctl-explorer.net/fs/protected_hardlinks/
https://sysctl-explorer.net/fs/protected_symlinks/

* gnu/services/base.scm (%base-services): Add a default
sysctl-configuration that enables fs.protected_hardlinks and
fs.protected_symlinks.
---
 gnu/services/base.scm | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/gnu/services/base.scm b/gnu/services/base.scm
index f6a490f712..edd2c8e355 100644
--- a/gnu/services/base.scm
+++ b/gnu/services/base.scm
@@ -3,7 +3,7 @@
 ;;; Copyright © 2015, 2016 Alex Kost <alezost@gmail.com>
 ;;; Copyright © 2015, 2016, 2020 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
-;;; Copyright © 2016, 2017 Leo Famulari <leo@famulari.name>
+;;; Copyright © 2016, 2017, 2021 Leo Famulari <leo@famulari.name>
 ;;; Copyright © 2016 David Craven <david@craven.ch>
 ;;; Copyright © 2016 Ricardo Wurmus <rekado@elephly.net>
 ;;; Copyright © 2018 Mathieu Othacehe <m.othacehe@gmail.com>
@@ -35,6 +35,7 @@
   #:use-module (gnu services)
   #:use-module (gnu services admin)
   #:use-module (gnu services shepherd)
+  #:use-module (gnu services sysctl)
   #:use-module (gnu system pam)
   #:use-module (gnu system shadow)                ; 'user-account', etc.
   #:use-module (gnu system uuid)
@@ -2532,6 +2533,12 @@ to handle."
                  (udev-configuration
                    (rules (list lvm2 fuse alsa-utils crda))))
 
+        (service sysctl-service-type
+                 (sysctl-configuration
+                   (settings
+                     '(("fs.protected_hardlinks" . "1")
+                       ("fs.protected_symlinks" . "1")))))
+
         (service special-files-service-type
                  `(("/bin/sh" ,(file-append bash "/bin/sh"))
                    ("/usr/bin/env" ,(file-append coreutils "/bin/env"))))))
-- 
2.30.1