From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id aLRAB7trUmD+eAAA0tVLHw (envelope-from ) for ; Wed, 17 Mar 2021 20:51:07 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id iO4IA7trUmBXKwAAB5/wlQ (envelope-from ) for ; Wed, 17 Mar 2021 20:51:07 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 6EB1D1931E for ; Wed, 17 Mar 2021 21:51:06 +0100 (CET) Received: from localhost ([::1]:38044 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMd8C-0003bV-07 for larch@yhetil.org; Wed, 17 Mar 2021 16:51:05 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44048) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMd7F-0002zU-8B for guix-patches@gnu.org; Wed, 17 Mar 2021 16:50:05 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:60894) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lMd7E-00027k-Vs for guix-patches@gnu.org; Wed, 17 Mar 2021 16:50:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lMd7E-0001Ts-UT for guix-patches@gnu.org; Wed, 17 Mar 2021 16:50:04 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#47013] [PATCH] gnu: Harden filesystem links. Resent-From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 17 Mar 2021 20:50:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47013 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Leo Famulari Cc: 47013@debbugs.gnu.org Received: via spool by 47013-submit@debbugs.gnu.org id=B47013.16160141585545 (code B ref 47013); Wed, 17 Mar 2021 20:50:04 +0000 Received: (at 47013) by debbugs.gnu.org; 17 Mar 2021 20:49:18 +0000 Received: from localhost ([127.0.0.1]:44191 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMd6T-0001RL-MQ for submit@debbugs.gnu.org; Wed, 17 Mar 2021 16:49:17 -0400 Received: from eggs.gnu.org ([209.51.188.92]:50610) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMd6O-0001QJ-Ic for 47013@debbugs.gnu.org; Wed, 17 Mar 2021 16:49:13 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]:43679) by eggs.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMd6J-0001e8-A5; Wed, 17 Mar 2021 16:49:07 -0400 Received: from [2a01:e0a:1d:7270:af76:b9b:ca24:c465] (port=48668 helo=ribbon) by fencepost.gnu.org with esmtpsa (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) (envelope-from ) id 1lMd6I-0000k6-Tm; Wed, 17 Mar 2021 16:49:07 -0400 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= References: <8735wu7nf9.fsf_-_@gnu.org> Date: Wed, 17 Mar 2021 21:49:04 +0100 In-Reply-To: (Leo Famulari's message of "Tue, 16 Mar 2021 22:14:00 -0400") Message-ID: <875z1pzetb.fsf_-_@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616014266; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=cVXAF6PBrZ5K4Qtd0WMx0qaf4TWTJLZLEQJmo44JC9Y=; b=gN740f1vXwnRyFkoLtfdp/e90o/G4RzZtCmGSuGbzrhaFOWQR1jSFX9eveVjh8K6Jc1wAL SyTP4SeSd8lRJ3NJEUEOAFvD2TuREwNHXewZF9+6GI3NDjcO+BJhqKI2nREybnFG3hO40q YntZluNu4j1mGbT1arRbRAoCLOArx4K7nfHCYK+hD4oqk/2Jwr+OF/55IRDY2j6HoICSj9 F1hsVWng6tXYxzzvGqHk1zAX1x2cbUyT7GKU22l+DNiOPPRBR49Kb+TVJm4NzxUuFGphDy tXeHp/iIK0x7a25nB0QtS2+cJVrB8mtNs3orbHhBN7Vh6tviHiQU5/Rf+iXYqQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616014266; a=rsa-sha256; cv=none; b=b2gaOI9WPO8bDBDx7QYCdnbs4V/EWG2+Lxvlj2O6UR4pF0toW6EvhT2exGZ7UtvHPEHWpL WrumD+ijmZfCtm1bgkO2TrI8H++Urnhgvzy8Fr1uaRmLCNTtSigK18fJU/X4YR1YuULzhy bWUDkaPOEr9qLC5kHglG8r+lCMSA9ll4hNzbeMzg1B1yfCSQy+AJ9bClbhtn1IAe7tCjY5 au1GvQgUlQItoRioGJI1kt6Nd1ty5xEJEfSAwR3cHFXogQwsKFCifEWOHT/UXpOQ55bGW4 mknw8GdfTOUAb2Ud9lf/xbms12yy3qw49kiaBbQ3q8lEAnS8UKNq2L8hz7CykQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -2.90 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 6EB1D1931E X-Spam-Score: -2.90 X-Migadu-Scanner: scn0.migadu.com X-TUID: yQbbJdaGbEwN Hi, Leo Famulari skribis: > On Tue, Mar 16, 2021 at 08:54:52PM -0400, Leo Famulari wrote: >> As a compromise, we could create a new variable %default-sysctl-settings >> and add a sysctl-service-type in %base-services that uses that variable. > > Here is a v4 patch that implements this. I wasn't sure where to put > %default-sysctl-settings, so it's in (gnu services sysctl). > > From my naive perspective, it seemed to me that it belongs in (gnu > system), but when I exported it from there, and imported (gnu system) in > (gnu services base), building Guix crashes like this: > > ------ > [ 12%] LOAD guix/scripts/system.scm > ice-9/eval.scm:293:34: error: %default-sysctl-settings: unbound variable > hint: Did you forget `(use-modules (gnu system))'? Yeah, some circular module dependency. I propose this minor change: > +++ b/gnu/services/base.scm > @@ -35,6 +35,7 @@ > #:use-module (gnu services) > #:use-module (gnu services admin) > #:use-module (gnu services shepherd) > + #:use-module (gnu services sysctl) > #:use-module (gnu system pam) > #:use-module (gnu system shadow) ; 'user-account', etc. > #:use-module (gnu system uuid) > @@ -2532,6 +2533,10 @@ to handle." > (udev-configuration > (rules (list lvm2 fuse alsa-utils crda)))) >=20=20 > + (service sysctl-service-type > + (sysctl-configuration > + (settings %default-sysctl-settings))) Write (service sysctl-service-type) here, and=E2=80=A6 > +++ b/gnu/services/sysctl.scm > @@ -25,7 +25,8 @@ > #:use-module (srfi srfi-1) > #:use-module (ice-9 match) > #:export (sysctl-configuration > - sysctl-service-type)) > + sysctl-service-type > + %default-sysctl-settings)) >=20=20 > > ;;; > @@ -74,3 +75,8 @@ > (settings (append (sysctl-configuration-settings config) > settings))))) > (default-value (sysctl-configuration)))) > + > +(define %default-sysctl-settings > + ;; Default kernel parameters enabled with sysctl. > + '(("fs.protected_hardlinks" . "1") > + ("fs.protected_symlinks" . "1"))) =E2=80=A6 change the default value of the =E2=80=98settings=E2=80=99 field = of to be =E2=80=98%default-sysctl-settings=E2=80=99. We should also add a @defvr and adjust guix.texi accordingly. WDYT? Thanks, Ludo=E2=80=99.