From: muradm <mail@muradm.net>
To: 47013@debbugs.gnu.org
Subject: [bug#47013] (no subject)
Date: Wed, 24 Mar 2021 10:19:29 +0300 [thread overview]
Message-ID: <878s6dnhmm.fsf@muradm.net> (raw)
In-Reply-To: <7072c80a192f3c136cb70da4a0662d77ce508b56.1615236603.git.leo@famulari.name>
There is a need to have important sysctl settings
fs.protected_hardlinks and fs.protected_symlinks for all
installations of Guix in the world unless explicitly stated
otherwise. Currently in Linux kernel they are unset by default. It
is also stated that other distributions do the same.
In perfect world I would go for Solution 1 below, as it is most
effectful, and clean.
Solution 1: From this statement, it seems that the first resort
whould be Linux kernel it self. If it would be possible to
configure them with Kconfig, that would be best place. As of my
brief look at linux/fs, they are not configurable, but may be I
miss somthing. Any way preferred solution would be just compile
kernel with protected hardlinks and symlinks set to 1. Since other
distributions do the same, it could be reasonable to expose these
two settings via Kconfig, and solve it there.
- pros: great for the world
- cons: have to do enhancement in mainline Linux
Solution 2: If it is not possible to have these two settings in
kernel as per Solution 1, Guix may maintain a patch to kernel that
would do this.
- pros: no need to enhance mainline Linux
- cons: will impact users who do use Guix and compile Linux kernel
them selves
Solution 3: Handle in Guix configuration. Everything below related
to solution 3.
Currently it is set as folowing:
;; gnu/services/sysctl.scm
(define-module ....
#:export (....
%default-sysctl-settings)
(define %default-sysctl-settings
;; Default kernel parameters enabled with sysctl.
'(("fs.protected_hardlinks" . "1")
("fs.protected_symlinks" . "1")))
(define-record-type* <sysctl-configuration>
sysctl-configuration make-sysctl-configuration
sysctl-configuration?
(sysctl sysctl-configuration-sysctl ; path of the 'sysctl'
command
(default (file-append procps "/sbin/sysctl")))
(settings sysctl-configuration-settings ; alist of string pairs
(default %default-sysctl-settings)))
;; ends- gnu/services/sysctl.scm
And sysctl-service-type it self is added to the
%base-services. Since sysctl-configuration-settings function to
access settings field of sysctl-configuration instance is not
exported, I have to do the following in my configuration:
(define nomad-gx1-os
(operating-system
(inherit my-base-nomad-os) ;; important line-#1
...
(services
(modify-services my-base-nomad-services
(sysctl-service-type config =>
(inherit config)
(settings
(append
%default-sysctl-settings ;; from
gnu/services/sysctl.scm
'(("fs.inotify.max_user_watches" . "524288")
("fs.inotify.max_user_instances" . "16384")
("fs.inotify.max_queued_events" . "65536")))))))))
This is fine, until I extend sysctl-service-type in
my-base-nomad-os. Then I have to export
my-base-nomad-sysctl-settings and join them with
%default-sysctl-settings and extra settings for
nomad-gx1-os. While it is bearable for one or two levels of
inheritance, it becomes hard to keep track for more levels and/or
many hosts.
If sysctl-configuration-settings would be exported as per #47323,
then my configuration would become simplier:
(services
(modify-services my-base-nomad-services
(sysctl-service-type config =>
(inherit config)
(settings
(append
(sysctl-configuration-settings config) ;; now I can't
do this
'(("fs.inotify.max_user_watches" . "524288")
("fs.inotify.max_user_instances" . "16384")
("fs.inotify.max_queued_events" . "65536")))))))))
In this case, if Guix documentation will include
sysctl-configuration-settings, then most likely people won't
forget use %default-sysctl-settings, and it is still possible to
override them if one desires not to use protected symlinks and
hardlinks.
next prev parent reply other threads:[~2021-03-24 12:52 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-08 20:50 [bug#47013] [PATCH] gnu: Harden filesystem links Leo Famulari
2021-03-12 22:05 ` Leo Famulari
2021-03-12 22:51 ` Leo Famulari
2021-03-15 18:56 ` Leo Famulari
2021-03-15 20:23 ` Julien Lepiller
2021-03-18 17:39 ` Leo Famulari
2021-03-18 19:45 ` Julien Lepiller
2021-03-16 21:42 ` Ludovic Courtès
2021-03-16 22:18 ` Ludovic Courtès
2021-03-17 0:54 ` Leo Famulari
2021-03-17 2:14 ` [bug#47013] [PATCH v4] " Leo Famulari
2021-03-17 20:49 ` [bug#47013] [PATCH] " Ludovic Courtès
2021-03-17 21:01 ` Leo Famulari
2021-03-18 7:27 ` Leo Famulari
2021-03-18 9:36 ` Ludovic Courtès
2021-03-18 17:25 ` Leo Famulari
2021-03-24 7:19 ` muradm [this message]
2021-03-24 10:38 ` [bug#47013] services: export sysctl-configuration record field accessors muradm
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878s6dnhmm.fsf@muradm.net \
--to=mail@muradm.net \
--cc=47013@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.