[bug#47013] [PATCH] gnu: Harden filesystem links.

all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

From: "Ludovic Courtès" <ludo@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: 47013@debbugs.gnu.org
Subject: [bug#47013] [PATCH] gnu: Harden filesystem links.
Date: Wed, 17 Mar 2021 21:49:04 +0100	[thread overview]
Message-ID: <875z1pzetb.fsf_-_@gnu.org> (raw)
In-Reply-To: <YFFl6C4hBQTLBXNO@jasmine.lan> (Leo Famulari's message of "Tue, 16 Mar 2021 22:14:00 -0400")

Hi,

Leo Famulari <leo@famulari.name> skribis:

> On Tue, Mar 16, 2021 at 08:54:52PM -0400, Leo Famulari wrote:
>> As a compromise, we could create a new variable %default-sysctl-settings
>> and add a sysctl-service-type in %base-services that uses that variable.
>
> Here is a v4 patch that implements this. I wasn't sure where to put
> %default-sysctl-settings, so it's in (gnu services sysctl).
>
> From my naive perspective, it seemed to me that it belongs in (gnu
> system), but when I exported it from there, and imported (gnu system) in
> (gnu services base), building Guix crashes like this:
>
> ------
> [ 12%] LOAD     guix/scripts/system.scm
> ice-9/eval.scm:293:34: error: %default-sysctl-settings: unbound variable
> hint: Did you forget `(use-modules (gnu system))'?

Yeah, some circular module dependency.

I propose this minor change:

> +++ b/gnu/services/base.scm
> @@ -35,6 +35,7 @@
>    #:use-module (gnu services)
>    #:use-module (gnu services admin)
>    #:use-module (gnu services shepherd)
> +  #:use-module (gnu services sysctl)
>    #:use-module (gnu system pam)
>    #:use-module (gnu system shadow)                ; 'user-account', etc.
>    #:use-module (gnu system uuid)
> @@ -2532,6 +2533,10 @@ to handle."
>                   (udev-configuration
>                     (rules (list lvm2 fuse alsa-utils crda))))
>  
> +        (service sysctl-service-type
> +                 (sysctl-configuration
> +                   (settings %default-sysctl-settings)))

Write (service sysctl-service-type) here, and…

> +++ b/gnu/services/sysctl.scm
> @@ -25,7 +25,8 @@
>    #:use-module (srfi srfi-1)
>    #:use-module (ice-9 match)
>    #:export (sysctl-configuration
> -            sysctl-service-type))
> +            sysctl-service-type
> +            %default-sysctl-settings))
>  
>  \f
>  ;;;
> @@ -74,3 +75,8 @@
>                (settings (append (sysctl-configuration-settings config)
>                                  settings)))))
>     (default-value (sysctl-configuration))))
> +
> +(define %default-sysctl-settings
> +  ;; Default kernel parameters enabled with sysctl.
> +  '(("fs.protected_hardlinks" . "1")
> +    ("fs.protected_symlinks" . "1")))

… change the default value of the ‘settings’ field of
<sysctl-configuration> to be ‘%default-sysctl-settings’.

We should also add a @defvr and adjust guix.texi accordingly.

WDYT?

Thanks,
Ludo’.

next prev parent reply	other threads:[~2021-03-17 20:51 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-08 20:50 [bug#47013] [PATCH] gnu: Harden filesystem links Leo Famulari
2021-03-12 22:05 ` Leo Famulari
2021-03-12 22:51   ` Leo Famulari
2021-03-15 18:56     ` Leo Famulari
2021-03-15 20:23       ` Julien Lepiller
2021-03-18 17:39         ` Leo Famulari
2021-03-18 19:45           ` Julien Lepiller
2021-03-16 21:42       ` Ludovic Courtès
2021-03-16 22:18     ` Ludovic Courtès
2021-03-17  0:54       ` Leo Famulari
2021-03-17  2:14         ` [bug#47013] [PATCH v4] " Leo Famulari
2021-03-17 20:49           ` Ludovic Courtès [this message]
2021-03-17 21:01             ` [bug#47013] [PATCH] " Leo Famulari
2021-03-18  7:27               ` Leo Famulari
2021-03-18  9:36                 ` Ludovic Courtès
2021-03-18 17:25                   ` Leo Famulari
2021-03-24  7:19 ` [bug#47013] (no subject) muradm
2021-03-24 10:38 ` [bug#47013] services: export sysctl-configuration record field accessors muradm

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=875z1pzetb.fsf_-_@gnu.org \
    --to=ludo@gnu.org \
    --cc=47013@debbugs.gnu.org \
    --cc=leo@famulari.name \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.