[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#47013] [PATCH] gnu: Harden filesystem links.
|
From: |
Ludovic Courtès |
|
Subject: |
[bug#47013] [PATCH] gnu: Harden filesystem links. |
|
Date: |
Wed, 17 Mar 2021 21:49:04 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
Hi,
Leo Famulari <leo@famulari.name> skribis:
> On Tue, Mar 16, 2021 at 08:54:52PM -0400, Leo Famulari wrote:
>> As a compromise, we could create a new variable %default-sysctl-settings
>> and add a sysctl-service-type in %base-services that uses that variable.
>
> Here is a v4 patch that implements this. I wasn't sure where to put
> %default-sysctl-settings, so it's in (gnu services sysctl).
>
> From my naive perspective, it seemed to me that it belongs in (gnu
> system), but when I exported it from there, and imported (gnu system) in
> (gnu services base), building Guix crashes like this:
>
> ------
> [ 12%] LOAD guix/scripts/system.scm
> ice-9/eval.scm:293:34: error: %default-sysctl-settings: unbound variable
> hint: Did you forget `(use-modules (gnu system))'?
Yeah, some circular module dependency.
I propose this minor change:
> +++ b/gnu/services/base.scm
> @@ -35,6 +35,7 @@
> #:use-module (gnu services)
> #:use-module (gnu services admin)
> #:use-module (gnu services shepherd)
> + #:use-module (gnu services sysctl)
> #:use-module (gnu system pam)
> #:use-module (gnu system shadow) ; 'user-account', etc.
> #:use-module (gnu system uuid)
> @@ -2532,6 +2533,10 @@ to handle."
> (udev-configuration
> (rules (list lvm2 fuse alsa-utils crda))))
>
> + (service sysctl-service-type
> + (sysctl-configuration
> + (settings %default-sysctl-settings)))
Write (service sysctl-service-type) here, and…
> +++ b/gnu/services/sysctl.scm
> @@ -25,7 +25,8 @@
> #:use-module (srfi srfi-1)
> #:use-module (ice-9 match)
> #:export (sysctl-configuration
> - sysctl-service-type))
> + sysctl-service-type
> + %default-sysctl-settings))
>
>
> ;;;
> @@ -74,3 +75,8 @@
> (settings (append (sysctl-configuration-settings config)
> settings)))))
> (default-value (sysctl-configuration))))
> +
> +(define %default-sysctl-settings
> + ;; Default kernel parameters enabled with sysctl.
> + '(("fs.protected_hardlinks" . "1")
> + ("fs.protected_symlinks" . "1")))
… change the default value of the ‘settings’ field of
<sysctl-configuration> to be ‘%default-sysctl-settings’.
We should also add a @defvr and adjust guix.texi accordingly.
WDYT?
Thanks,
Ludo’.
- [bug#47013] [PATCH] gnu: Harden filesystem links., (continued)
- [bug#47013] [PATCH] gnu: Harden filesystem links., Leo Famulari, 2021/03/12
- [bug#47013] [PATCH] gnu: Harden filesystem links., Leo Famulari, 2021/03/12
- [bug#47013] [PATCH] gnu: Harden filesystem links., Leo Famulari, 2021/03/15
- [bug#47013] [PATCH] gnu: Harden filesystem links., Ludovic Courtès, 2021/03/16
- [bug#47013] [PATCH] gnu: Harden filesystem links., Julien Lepiller, 2021/03/18
- [bug#47013] [PATCH] gnu: Harden filesystem links., Leo Famulari, 2021/03/18
- [bug#47013] [PATCH] gnu: Harden filesystem links., Julien Lepiller, 2021/03/18
- [bug#47013] [PATCH] gnu: Harden filesystem links., Ludovic Courtès, 2021/03/16
- [bug#47013] [PATCH] gnu: Harden filesystem links., Leo Famulari, 2021/03/16
- [bug#47013] [PATCH v4] gnu: Harden filesystem links., Leo Famulari, 2021/03/16
- [bug#47013] [PATCH] gnu: Harden filesystem links.,
Ludovic Courtès <=
- [bug#47013] [PATCH] gnu: Harden filesystem links., Leo Famulari, 2021/03/17
- [bug#47013] [PATCH] gnu: Harden filesystem links., Leo Famulari, 2021/03/18
- [bug#47013] [PATCH] gnu: Harden filesystem links., Ludovic Courtès, 2021/03/18
- [bug#47013] [PATCH] gnu: Harden filesystem links., Leo Famulari, 2021/03/18
[bug#47013] (no subject), muradm, 2021/03/24
[bug#47013] services: export sysctl-configuration record field accessors, muradm, 2021/03/24