From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:c151::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id 8IzbFTKwT2AXIAAA0tVLHw (envelope-from ) for ; Mon, 15 Mar 2021 19:06:26 +0000 Received: from aspmx2.migadu.com ([2001:41d0:2:c151::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id KL2kETKwT2D5agAA1q6Kng (envelope-from ) for ; Mon, 15 Mar 2021 19:06:26 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx2.migadu.com (Postfix) with ESMTPS id 965B222BD0 for ; Mon, 15 Mar 2021 20:06:25 +0100 (CET) Received: from localhost ([::1]:37456 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lLsXo-0000RY-GX for larch@yhetil.org; Mon, 15 Mar 2021 15:06:24 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52180) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lLsOm-0005HL-If for guix-patches@gnu.org; Mon, 15 Mar 2021 14:57:05 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:53870) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lLsOl-0006Ks-7Z for guix-patches@gnu.org; Mon, 15 Mar 2021 14:57:04 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lLsOk-0006Hx-H1 for guix-patches@gnu.org; Mon, 15 Mar 2021 14:57:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#47013] [PATCH] gnu: Harden filesystem links. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 15 Mar 2021 18:57:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47013 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 47013@debbugs.gnu.org Received: via spool by 47013-submit@debbugs.gnu.org id=B47013.161583458524105 (code B ref 47013); Mon, 15 Mar 2021 18:57:02 +0000 Received: (at 47013) by debbugs.gnu.org; 15 Mar 2021 18:56:25 +0000 Received: from localhost ([127.0.0.1]:37183 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lLsO2-0006Gd-HZ for submit@debbugs.gnu.org; Mon, 15 Mar 2021 14:56:25 -0400 Received: from wout5-smtp.messagingengine.com ([64.147.123.21]:54445) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lLsNz-0006GN-Ep for 47013@debbugs.gnu.org; Mon, 15 Mar 2021 14:56:16 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.west.internal (Postfix) with ESMTP id 4CBADEC7; Mon, 15 Mar 2021 14:56:09 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute3.internal (MEProxy); Mon, 15 Mar 2021 14:56:09 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=5DGF3TDawuy9WPWGkCKKHP5k J1Gt6eyapZAZhOHcE/Y=; b=jpe4nQDBhmI+rmGfr6szRtrrp6k7WRCZ2vUHs2fN X76yeJ4fyznOP99djYjwCtrNEgFyuZF2wkqU1n/McL8O0qoENxq6w8rWB8AAo/PG QCSG8Kefszb5HrkGEN1nR9OE2+Zo6qHtcAn8ARx1vYuqlPGmGuocxnPBFefYKAXR P8k= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=5DGF3T Dawuy9WPWGkCKKHP5kJ1Gt6eyapZAZhOHcE/Y=; b=Y0Sa+FLTBTO+4YhikH2lTW jrJK9BAOzyxoVIrNVqWWWPzCMzNejWZDYAs3cDA3MCTS84eW6xuGZqRGPP8WwABh C7JcfmQD8nQvuJ0CKX/BSLG6t+1CJJ9SwEIjnDXbUFqMZN7veaW2DYeh/D/bFQjH iLs34X4iAqmzpKs4GZWfD0/E5jDFin75mwMLw7ewhXCGAbjzCvm9befWCc1MGlPN EOfckwQTjwcv+ZloMhyzeQkw/XJPQqMBuDpVBfp6rk8lhTHzF04UWNZTz2l+9jBW gR+GEOoeUJc5/mjt6HySQELE0mmoTElAi42y2F1kKjEnmOacjL0iJM/LcfeFiHCQ == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledruddvledguddvtdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtuggjsehgtd erredttddvnecuhfhrohhmpefnvghoucfhrghmuhhlrghrihcuoehlvghosehfrghmuhhl rghrihdrnhgrmhgvqeenucggtffrrghtthgvrhhnpedukeevgeetkeeltefgiedtjefgje ekffduteehvdfhueekudelieekjeefheffteenucfkphepuddttddruddurdduieelrddu udeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheplh gvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id AFE6C24005B for <47013@debbugs.gnu.org>; Mon, 15 Mar 2021 14:56:08 -0400 (EDT) Date: Mon, 15 Mar 2021 14:56:06 -0400 From: Leo Famulari Message-ID: References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="Wnel6/4zNxeqDM3B" Content-Disposition: inline In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615835185; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=5DGF3TDawuy9WPWGkCKKHP5kJ1Gt6eyapZAZhOHcE/Y=; b=PEN3pYK8XsCrE7ARIA4KljoOggTUVzqr6FYPWSxiFW87I39OJxOfDzJP9OAw5Bw0P10mmg MGcr5uiD522JVG0StXpxSSzRT5G4oIPAiaXXPDdolEgv6oLjPYLZDche7f2yIr8IRof16V e8OdCwXmIdnNEERwKaNvRxN+QBYpsWbJ4pUB2g4QKJBd/Dpv/EVeDmLfqSNjdUN49nz4Li SO7bj3JRvyV1BoeD9FWXkYRf0PhKzD1aYyE829Sw4WpnAfMFSLY2Oi0PpcOwpQuu/MyL5h 7ySEZiDNrS7hoELzg30k264JWF4dGU+DPHXiJOyXx/x2S7g8AtAuR5i1hnS7UA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615835185; a=rsa-sha256; cv=none; b=uMAhZBjUypPYvgkqPMuCH4UyLwZuNBy1YS71ChvFvUKIenhw+M/IDFnm4iVG3McdL9tsCH zqp9oIAxEYfbeNEAnvI5aCX083fnQXmU4FB7x+pV/LrUQvk8gr8F+I0ZiHudc3zWzExBRS yb6jC3dgJULX0O5oJ4TbpVKWsh5I2feyy+9fTgdB8eY4JY1UZs9TZNzg6b7UYEnDujnjvh tadjSlz8XWt8S4oUVqMI8ZyXbg6rnuo3XmMb9LBsR83NuwFXGCCV7w85nAWANOq92kNrx0 ODTupjnagAQfZYzgTp4Pjqaf7FM3pqHCYM5kNWhFI3cdSZjEdd67pt2ouauIow== ARC-Authentication-Results: i=1; aspmx2.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=jpe4nQDB; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=Y0Sa+FLT; dmarc=none; spf=pass (aspmx2.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -3.50 Authentication-Results: aspmx2.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=jpe4nQDB; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=Y0Sa+FLT; dmarc=none; spf=pass (aspmx2.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 965B222BD0 X-Spam-Score: -3.50 X-Migadu-Scanner: scn0.migadu.com X-TUID: zg26Nfotl/Qz --Wnel6/4zNxeqDM3B Content-Type: multipart/mixed; boundary="FJpYSwgqikP/wFnk" Content-Disposition: inline --FJpYSwgqikP/wFnk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Mar 12, 2021 at 05:51:21PM -0500, Leo Famulari wrote: > Does anyone know how we could make it possible for users to change these > new defaults? With assistance from roptat on #guix, I wrote these patches that work well and meet all the requirements I had in mind. Your thoughts? I'd like to push this soon. --FJpYSwgqikP/wFnk Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: attachment; filename="harden-filesystem-links.patch" Content-Transfer-Encoding: quoted-printable =46rom 38f1aaf8b44739ccfb1f824c7fb85d4dc6b5d991 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Mon, 15 Mar 2021 14:51:52 -0400 Subject: [PATCH 1/2] services: sysctl: Add a service to set default kernel parameters. * gnu/services/sysctl.scm (default-sysctl-settings-service-type): New public variable. * doc/guix.texi (Miscellaneous Services): Document it. Co-authored-by: Julien Lepiller --- doc/guix.texi | 4 ++++ gnu/services/sysctl.scm | 13 ++++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/doc/guix.texi b/doc/guix.texi index 3e7ffc81bc..d468c6f742 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -31419,6 +31419,10 @@ An association list specifies kernel parameters an= d their values. @end table @end deftp =20 +@defvr {Scheme Variable} default-sysctl-settings-service-type +The service type used to set default kernel parameters. +@end defvr + @cindex pcscd @subsubheading PC/SC Smart Card Daemon Service =20 diff --git a/gnu/services/sysctl.scm b/gnu/services/sysctl.scm index eb7a61b2a9..83704084c3 100644 --- a/gnu/services/sysctl.scm +++ b/gnu/services/sysctl.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright =A9 2017 Sou Bunnbu +;;; Copyright =A9 2021 Leo Famulari ;;; ;;; This file is part of GNU Guix. ;;; @@ -25,7 +26,8 @@ #:use-module (srfi srfi-1) #:use-module (ice-9 match) #:export (sysctl-configuration - sysctl-service-type)) + sysctl-service-type + default-sysctl-settings-service-type)) =20 =0C ;;; @@ -74,3 +76,12 @@ (settings (append (sysctl-configuration-settings config) settings))))) (default-value (sysctl-configuration)))) + +(define default-sysctl-settings-service-type +; "Return a service that is used to set default kernel parameters for Guix +; System." + (service-type + (name 'default-sysctl-settings) + (extensions + (list (service-extension sysctl-service-type + identity))))) --=20 2.30.2 =46rom 3040f0bb33439f041eed85e8c8e80bb52d6277cc Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Mon, 15 Mar 2021 14:31:48 -0400 Subject: [PATCH 2/2] system: Harden filesystem links. These sysctl options are enabled on most GNU/Linux distros, including Debian, Fedora, NixOS, and OpenSUSE. I've tested this options on Guix System for several weeks, and they don't appear to break anything. Plus, we know that Guix works on other distros that enable these restrictions. References: https://sysctl-explorer.net/fs/protected_hardlinks/ https://sysctl-explorer.net/fs/protected_symlinks/ * gnu/services/base.scm (%base-services): Add default-sysctl-settings-service-type. --- gnu/services/base.scm | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index f6a490f712..646ad800f4 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -3,7 +3,7 @@ ;;; Copyright =A9 2015, 2016 Alex Kost ;;; Copyright =A9 2015, 2016, 2020 Mark H Weaver ;;; Copyright =A9 2015 Sou Bunnbu -;;; Copyright =A9 2016, 2017 Leo Famulari +;;; Copyright =A9 2016, 2017, 2021 Leo Famulari ;;; Copyright =A9 2016 David Craven ;;; Copyright =A9 2016 Ricardo Wurmus ;;; Copyright =A9 2018 Mathieu Othacehe @@ -35,6 +35,7 @@ #:use-module (gnu services) #:use-module (gnu services admin) #:use-module (gnu services shepherd) + #:use-module (gnu services sysctl) #:use-module (gnu system pam) #:use-module (gnu system shadow) ; 'user-account', etc. #:use-module (gnu system uuid) @@ -2532,6 +2533,10 @@ to handle." (udev-configuration (rules (list lvm2 fuse alsa-utils crda)))) =20 + (service default-sysctl-settings-service-type + '(("fs.protected_hardlinks" . "1") + ("fs.protected_symlinks" . "1"))) + (service special-files-service-type `(("/bin/sh" ,(file-append bash "/bin/sh")) ("/usr/bin/env" ,(file-append coreutils "/bin/env")))))) --=20 2.30.2 --FJpYSwgqikP/wFnk-- --Wnel6/4zNxeqDM3B Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBPrcIACgkQJkb6MLrK fwj95RAA2lgRtUbuJJreBv3MXoaSdoqmJP/ZhWfMFbcEAeHwK3KqP6Csk57id38y gFUWl5WYjSNE6BQJpyX6rSlNgXgOHhu51eBfjE1XRr0LHIHgBxYYs9XHVrIm4jvv iIPYLrBjN0z5KdolP++BKVVBmkjgf54VjkYxzmawKY1LaFz+6u7hIcOuTBJZMEyt oNSXv+/69PITRe1dP/FYmVME9XcCMrN1nPDcqVIqDQJT9u3i4XJ+gSE6TXcQRCLX t3pjlrJMvUN0JFcSBnJwg5D3hX0/yOXbYoHuM+5LmWlS3SpoU/uQb35BH16aIdtI BVnETWwUSYu3iBhQTjUMmFK4nICApPve/xUi1aCwr2z0IY9s44uKUoOCNQX/u2tp uA6tCT7JtLUIN3QayCWBF43MIVYlNYxLTAXbzkd5PIEZdy1VH0QFvsxKEdhVJYlk jeCL3ybMzLB+TABm34z76sAFQl+x6A1/DV3i7AvaDj5DZSe9awmOPVIp6i8Ulcpe NcXfaT2GhY4lTxy+ZRdF4n7oSfej6iGDW2HA0jxwEyZmcS8oddIL+EebLC5xn4yq kQYBPLgyJXo+l9KgD9mxqn7YZvLkm9cN2u/T8TAlMe1YrEKJtviMF/CLKRE+qufN f+9FAk3ngNs+rDhgyIYUOLBAwlgnlVOo1t9vaxhMffytUfD5rq8= =kjyl -----END PGP SIGNATURE----- --Wnel6/4zNxeqDM3B--