From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id UAvpATtmUWAoEwAA0tVLHw (envelope-from ) for ; Wed, 17 Mar 2021 02:15:23 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id yBJQOTpmUWDhOwAA1q6Kng (envelope-from ) for ; Wed, 17 Mar 2021 02:15:22 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3C393262EC for ; Wed, 17 Mar 2021 03:15:22 +0100 (CET) Received: from localhost ([::1]:43698 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lMLiS-0001MC-WA for larch@yhetil.org; Tue, 16 Mar 2021 22:15:21 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56480) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lMLiB-0001M2-3F for guix-patches@gnu.org; Tue, 16 Mar 2021 22:15:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:58253) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lMLiA-0004qN-AP for guix-patches@gnu.org; Tue, 16 Mar 2021 22:15:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lMLiA-0002ZC-5E for guix-patches@gnu.org; Tue, 16 Mar 2021 22:15:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#47013] [PATCH v4] gnu: Harden filesystem links. Resent-From: Leo Famulari Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 17 Mar 2021 02:15:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 47013 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 47013@debbugs.gnu.org Received: via spool by 47013-submit@debbugs.gnu.org id=B47013.16159472549798 (code B ref 47013); Wed, 17 Mar 2021 02:15:02 +0000 Received: (at 47013) by debbugs.gnu.org; 17 Mar 2021 02:14:14 +0000 Received: from localhost ([127.0.0.1]:41566 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMLhO-0002Xx-8d for submit@debbugs.gnu.org; Tue, 16 Mar 2021 22:14:14 -0400 Received: from out1-smtp.messagingengine.com ([66.111.4.25]:53095) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lMLhI-0002Xg-M0 for 47013@debbugs.gnu.org; Tue, 16 Mar 2021 22:14:12 -0400 Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id A95615C009F; Tue, 16 Mar 2021 22:14:02 -0400 (EDT) Received: from mailfrontend2 ([10.202.2.163]) by compute3.internal (MEProxy); Tue, 16 Mar 2021 22:14:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=mesmtp; bh=rim2so16K+D3evYqzCGcB4WS IAAS1qyVgrndCDQCAKg=; b=k6uPxZzUAIBi3yj/Vte8JNHaXd7byJzbq6AywtpC lEuYj7CPTHzG5IlRtbTFKe8ocbuFBP94D2mN4R5f4l2AC5zAA58CN9daYrwsnHi/ kxVYF/YIBZZr8j3HPuTS+8eSfTxZ8QmoIJvL9anX0qoNjaVdH+jCEqPMnkklCigN mFs= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=rim2so 16K+D3evYqzCGcB4WSIAAS1qyVgrndCDQCAKg=; b=MnosfO9lvleRKTEW2TXTfP Zra1Sgc0T6IjHnbgtNYvTMKzddjBni1Q3rZHxlUl5dc/f2Fhg0dLkxE9EosRf0H9 qcC37uxMi/ph5g6DOIfOCnkB6mZS8virINl8A6FvMh7AfonTbTPstoAFvMRrRZnk aZiab6cSRnmlqCtfH7jA+5qjavZeVSpu8Tz0R7aYrEnpNCS0DvYpiJDRUzqmOyX5 NgOVTm6ypkAZDneXKkYsjfyL2Shf8ozr8NOZhPnm6me7xg+YZhZc0beiWtTJwbah cXcibmL3UwvuJrZdul+g1OiBO3XDy57UQQz7BrmgvTiSUPgBnDb0UwKmvukFuT7w == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudeffedggedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehgtderredttddvnecuhfhrohhmpefnvghoucfh rghmuhhlrghrihcuoehlvghosehfrghmuhhlrghrihdrnhgrmhgvqeenucggtffrrghtth gvrhhnpedukeevgeetkeeltefgiedtjefgjeekffduteehvdfhueekudelieekjeefheff teenucfkphepuddttddruddurdduieelrdduudeknecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomheplhgvohesfhgrmhhulhgrrhhirdhnrghmvg X-ME-Proxy: Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net [100.11.169.118]) by mail.messagingengine.com (Postfix) with ESMTPA id 44CDA1080064; Tue, 16 Mar 2021 22:14:02 -0400 (EDT) Date: Tue, 16 Mar 2021 22:14:00 -0400 From: Leo Famulari Message-ID: References: <8735wu7nf9.fsf_-_@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="+PUZ9BqJW7C7bVoS" Content-Disposition: inline In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1615947322; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=rim2so16K+D3evYqzCGcB4WSIAAS1qyVgrndCDQCAKg=; b=D08+BJWSPE0REk+Ewhpo+iX9s3q/qLvuHuzDvhC6WH9SGpBnE/yFwtp0x8UCjN/2zP7Mor v9JmljKKkvfJTbxxR2RBMkF7xuffYFQCHYvNjKFpc2JK+3ZssVWCEaxGh6NN23sCvEdHhV xkiKdN/oqeoY0PXTrJJMU3Q+VFCptcrLBSdUQrAT6Aw5+NwvFJTBROPv2/w1J2K7sRgPET Ow2Zm0IAvKXlJy5QEFdidOnfMWMoo41qigYCOcQJ/KQcpXwej+c3b2CyAl7CqyD+rQitzQ F+E2cSM0sAhwCe7hEoCjOciWFxmrVUTpbcGC4W/vjhwh4YwX15SVNlsmUTRQDw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1615947322; a=rsa-sha256; cv=none; b=uOqhTpBfEQYzjeiLdyUI7ZpnS3NFq8FoNBTi0Yg9X3lFeHFPoFqOpc0LKfbDsZBxgEt1l8 5k0YuplhWm6Q1c49PfvMwcPfx/8h99e62R28yBW2KXOfN8J37DNurMuU978wWN7SCteDpM Kp/8pR8HXhiS9chh9AyM0M8i6qKcuOafFeog3k6crSahig4z1+SjdWFR99/HDE1Wxux4/g eFIDfkHIOm7par7eSRcP3FK2EVzrT8BoM97jSsbkMd7gMoHXGNLRadiiPOdQtYArjvsPqB wGklW0/QOxjzFawHqtsFTbVA2iNJl9eJCcVi9Ip7ozQ2R5NEdK8asJ6Fz5mFkg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=k6uPxZzU; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=MnosfO9l; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -3.50 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=famulari.name header.s=mesmtp header.b=k6uPxZzU; dkim=fail ("headers rsa verify failed") header.d=messagingengine.com header.s=fm2 header.b=MnosfO9l; dmarc=none; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 3C393262EC X-Spam-Score: -3.50 X-Migadu-Scanner: scn0.migadu.com X-TUID: MiMx4pCMxXP5 --+PUZ9BqJW7C7bVoS Content-Type: multipart/mixed; boundary="dtdukGTQOV9XiiIo" Content-Disposition: inline --dtdukGTQOV9XiiIo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 16, 2021 at 08:54:52PM -0400, Leo Famulari wrote: > As a compromise, we could create a new variable %default-sysctl-settings > and add a sysctl-service-type in %base-services that uses that variable. Here is a v4 patch that implements this. I wasn't sure where to put %default-sysctl-settings, so it's in (gnu services sysctl). =46rom my naive perspective, it seemed to me that it belongs in (gnu system), but when I exported it from there, and imported (gnu system) in (gnu services base), building Guix crashes like this: ------ [ 12%] LOAD guix/scripts/system.scm ice-9/eval.scm:293:34: error: %default-sysctl-settings: unbound variable hint: Did you forget `(use-modules (gnu system))'? make[2]: *** [Makefile:6304: make-go] Error 1 ------ --dtdukGTQOV9XiiIo Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="harden-filesystem-links.patch" Content-Transfer-Encoding: quoted-printable =46rom 7c95b94918c0f119a16a9859b250bdc65054f646 Mon Sep 17 00:00:00 2001 =46rom: Leo Famulari Date: Tue, 16 Mar 2021 21:36:36 -0400 Subject: [PATCH v4] system: Harden filesystem links. These sysctl options are enabled on most GNU/Linux distros, including Debian, Fedora, NixOS, and OpenSUSE. I've tested this options on Guix System for several weeks, and they don't appear to break anything. Plus, we know that Guix works on other distros that enable these restrictions. References: https://sysctl-explorer.net/fs/protected_hardlinks/ https://sysctl-explorer.net/fs/protected_symlinks/ * gnu/services/sysctl.scm (%default-sysctl-settings): New public variable. * gnu/services/base.scm (%base-services): Use %default-sysctl-settings. --- gnu/services/base.scm | 5 +++++ gnu/services/sysctl.scm | 8 +++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/gnu/services/base.scm b/gnu/services/base.scm index f6a490f712..eaa86ffb68 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -35,6 +35,7 @@ #:use-module (gnu services) #:use-module (gnu services admin) #:use-module (gnu services shepherd) + #:use-module (gnu services sysctl) #:use-module (gnu system pam) #:use-module (gnu system shadow) ; 'user-account', etc. #:use-module (gnu system uuid) @@ -2532,6 +2533,10 @@ to handle." (udev-configuration (rules (list lvm2 fuse alsa-utils crda)))) =20 + (service sysctl-service-type + (sysctl-configuration + (settings %default-sysctl-settings))) + (service special-files-service-type `(("/bin/sh" ,(file-append bash "/bin/sh")) ("/usr/bin/env" ,(file-append coreutils "/bin/env")))))) diff --git a/gnu/services/sysctl.scm b/gnu/services/sysctl.scm index eb7a61b2a9..dbf918eb3a 100644 --- a/gnu/services/sysctl.scm +++ b/gnu/services/sysctl.scm @@ -25,7 +25,8 @@ #:use-module (srfi srfi-1) #:use-module (ice-9 match) #:export (sysctl-configuration - sysctl-service-type)) + sysctl-service-type + %default-sysctl-settings)) =20 =0C ;;; @@ -74,3 +75,8 @@ (settings (append (sysctl-configuration-settings config) settings))))) (default-value (sysctl-configuration)))) + +(define %default-sysctl-settings + ;; Default kernel parameters enabled with sysctl. + '(("fs.protected_hardlinks" . "1") + ("fs.protected_symlinks" . "1"))) --=20 2.30.2 --dtdukGTQOV9XiiIo-- --+PUZ9BqJW7C7bVoS Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAmBRZegACgkQJkb6MLrK fwiMCw/+OUkbbeQtfhKVp06G7Rl/VxsFziHcf4MQo295QEwRXDXdMyvS2thek/hk mCV9nLgeBcQaqyYnfgSp1X5KW1tJAqy7+bZ6W9DC64FzyzD2ZmUbx4+9b7aIA7cH y0XWbYoRnpKwCZ1eAPb/M0weqwogBDW97JJm0EcQVfgIwXWZJHPdQqesRO17mEoq VvsapnfvHrAT3YY4/2RDjWC4jOCervJpx5Giavdnrb5rhCG8oojvJO+rnguAxIod csodPrc7MK9eOdUcwtsU7hUh0XoeJjyYT0Dot32kB3FDLy3fFAgyqz5BQGoY0QsG hjqlUT/XwbNC1Lqvy8qE0uIjhmbxp5esxCCTJzXkZt997RDtNG/rKFzyqZHWVuDy 6i0cd4xNkwKuwRxpRdKWryeuTPC7ja0LDVMSdzifoCXiAnPhqdl2zp+3BWhuvIdR /g1Lr1kSzoAjclgvNhp6L0/C/7SbWJVAVH2VhgaPYYXpSSn312UJAfosQB1tT5e6 +yhU1u90iqQNLwmX2l2BhJWpVs1FMrxvbW01tNooZbXyeSsnmJqYBfFdPOOaik00 eJoa6NIrPE65Ia/zjY575fdkOzcS4RmiRMAmd5Nc/0F0Fqv9k1WtIKp/CSWp9cYa Nh6E6LwwFbxR2Odu1g2b6qUyW11wJ1erxriU73H76llhqd/3oA0= =tbWI -----END PGP SIGNATURE----- --+PUZ9BqJW7C7bVoS--