[PATCH] gnu: Harden filesystem links.

These sysctl options are enabled on most GNU/Linux distros, including

Debian, Fedora, NixOS, and OpenSUSE.

I've tested this patch on Guix System for several weeks, and it doesn't

appear to break anything. Plus, we know that Guix works on other distros

that enable these restrictions.

References:

sysctl-configuration that enables fs.protected_hardlinks and

fs.protected_symlinks.

---

gnu/services/base.scm | 9 ++++++++-

1 file changed, 8 insertions(+), 1 deletion(-)

Here is an updated patch that can be composed with other

sysctl-service-types that the user may have added to config.scm.

From 1e3bd831899a4ec9dfa7199a381421adbfe0dcf7 Mon Sep 17 00:00:00 2001

These sysctl options are enabled on most GNU/Linux distros, including

Debian, Fedora, NixOS, and OpenSUSE.

I've tested this patch on Guix System for several weeks, and it doesn't

appear to break anything. Plus, we know that Guix works on other distros

that enable these restrictions.

References:

(%base-services): Add default-sysctl-settings.

---

gnu/services/base.scm | 10 ++++++++++

1 file changed, 10 insertions(+)

On Fri, Mar 12, 2021 at 05:05:51PM -0500, Leo Famulari wrote:

The only issue that I see with this revised patch is that it's not clear

how users could disable these default settings if they wanted to.

Re-setting these options to another value by adding a

sysctl-service-type to the services field of config.scm does not

override the default-settings.

And trying to remove the default-sysctl-settings simple-service doesn't

work (even when exporting the variable from (gnu services base)).

Does anyone know how we could make it possible for users to change these

new defaults?

On Fri, Mar 12, 2021 at 05:51:21PM -0500, Leo Famulari wrote:

With assistance from roptat on #guix, I wrote these patches that work

well and meet all the requirements I had in mind.

Your thoughts? I'd like to push this soon.

From 38f1aaf8b44739ccfb1f824c7fb85d4dc6b5d991 Mon Sep 17 00:00:00 2001

parameters.

variable.

---

doc/guix.texi | 4 ++++

gnu/services/sysctl.scm | 13 ++++++++++++-

2 files changed, 16 insertions(+), 1 deletion(-)

Hi!

Leo Famulari <leo@famulari.name> skribis:

[...]

[...]

Why not just use ‘sysctl-service-type’ here?

‘default-sysctl-settings-service-type’ looks very much like

‘sysctl-service-type’, but I’m not sure we need a second one?

Thanks!

Ludo’.

Hi!

Leo Famulari <leo@famulari.name> skribis:

With your first patch, to change the default settings, one has to write:

(modify-services %base-services

(sysctl-service-type config => …))

With your first patch, someone who already had a ‘sysctl-service-type’

instance as part of their services would now get an error at reconfigure

time.

Your second patch nicely addresses that; the downside is that it

actually makes it slightly harder to change the defaults because you

wouldn’t know what to pass in your ‘modify-services’ form.

All in all, I have a slight preference for the first patch. It could be

accompanied with a news.scm entry to explain the incompatible change,

maybe.

Thoughts?

Thanks,

Ludo’.

On Tue, Mar 16, 2021 at 11:18:18PM +0100, Ludovic Court�s wrote:

We discussed this on IRC.

Basically, my goal is to make it easy for users to add their own

sysctl-service-type without accidentally removing the default sysctl

settings. My third patch achieves that.

However, you did not like that it required creating a new service type

just to set some defaults.

As a compromise, we could create a new variable %default-sysctl-settings

and add a sysctl-service-type in %base-services that uses that variable.

At least, that way, it would be a little more clear that there are some

defaults. The manual could show users how to append their own sysctl

parameters to %default-sysctl-settings.

While implementing that, I noticed the variable

%default-kernel-arguments in (gnu system).

All these years, I have been setting some custom kernel-arguments, and I

never noticed there was a default value that I was erasing. This

illustrates why I prefer the approach in my 3rd patch. Otherwise, it

will be very easy for users to implicitly and unexpectedly disable the

default parameters we are trying to set, if they try to add their own.

On Tue, Mar 16, 2021 at 08:54:52PM -0400, Leo Famulari wrote:

Here is a v4 patch that implements this. I wasn't sure where to put

%default-sysctl-settings, so it's in (gnu services sysctl).

From my naive perspective, it seemed to me that it belongs in (gnu

system), but when I exported it from there, and imported (gnu system) in

(gnu services base), building Guix crashes like this:

------

[ 12%] LOAD guix/scripts/system.scm

ice-9/eval.scm:293:34: error: %default-sysctl-settings: unbound variable

hint: Did you forget `(use-modules (gnu system))'?

make[2]: *** [Makefile:6304: make-go] Error 1

------

From 7c95b94918c0f119a16a9859b250bdc65054f646 Mon Sep 17 00:00:00 2001

These sysctl options are enabled on most GNU/Linux distros, including

Debian, Fedora, NixOS, and OpenSUSE.

I've tested this options on Guix System for several weeks, and they

don't appear to break anything. Plus, we know that Guix works on other

distros that enable these restrictions.

References:

---

gnu/services/base.scm | 5 +++++

gnu/services/sysctl.scm | 8 +++++++-

2 files changed, 12 insertions(+), 1 deletion(-)

Hi,

Leo Famulari <leo@famulari.name> skribis:

Yeah, some circular module dependency.

I propose this minor change:

Write (service sysctl-service-type) here, and…

… change the default value of the ‘settings’ field of

<sysctl-configuration> to be ‘%default-sysctl-settings’.

We should also add a @defvr and adjust guix.texi accordingly.

WDYT?

Thanks,

Ludo’.

On Wed, Mar 17, 2021 at 09:49:04PM +0100, Ludovic Courtès wrote:

Sure, I'll implement your suggestions and send a v5 patch.

On Wed, Mar 17, 2021 at 05:01:54PM -0400, Leo Famulari wrote:

Here is the revised patch.

From 1817aec86076307f7b85cdc27b9ead572d0575e7 Mon Sep 17 00:00:00 2001

References:

(<sysctl-configuration>): Use %default-sysctl-settings as the default value.

---

doc/guix.texi | 22 +++++++++++++++++++++-

gnu/services/base.scm | 3 +++

gnu/services/sysctl.scm | 10 ++++++++--

3 files changed, 32 insertions(+), 3 deletions(-)

Hi Leo,

Leo Famulari <leo@famulari.name> skribis:

Looks perfect to me, thank you!

Ludo’.

Not tested but looks ok. Could you extend the documentation a bit? Maybe add the expected type of data for the service and an example on how to use it with modify-services? With lirks to relevant sections.

Le 15 mars 2021 14:56:06 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :

On Thu, Mar 18, 2021 at 10:36:38AM +0100, Ludovic Court�s wrote:

Great! This was pushed as 898489f48e436e45e86e1ba0fcdb6df5cd5a051a

close 47013

On Mon, Mar 15, 2021 at 04:23:24PM -0400, Julien Lepiller wrote:

We ended up pushing a slightly different patch from the one you've

replied to.

We did add documentation along the lines you requested, but let me know

if you see more room for improvment:

Ah sorry! Looks like my email was delayed, probably an issue on my side. Documentation looks good, thanks!

Le 18 mars 2021 13:39:20 GMT-04:00, Leo Famulari <leo@famulari.name> a écrit :

There is a need to have important sysctl settings

fs.protected_hardlinks and fs.protected_symlinks for all

installations of Guix in the world unless explicitly stated

otherwise. Currently in Linux kernel they are unset by default. It

is also stated that other distributions do the same.

In perfect world I would go for Solution 1 below, as it is most

effectful, and clean.

Solution 1: From this statement, it seems that the first resort

whould be Linux kernel it self. If it would be possible to

configure them with Kconfig, that would be best place. As of my

brief look at linux/fs, they are not configurable, but may be I

miss somthing. Any way preferred solution would be just compile

kernel with protected hardlinks and symlinks set to 1. Since other

distributions do the same, it could be reasonable to expose these

two settings via Kconfig, and solve it there.

- pros: great for the world

- cons: have to do enhancement in mainline Linux

Solution 2: If it is not possible to have these two settings in

kernel as per Solution 1, Guix may maintain a patch to kernel that

would do this.

- pros: no need to enhance mainline Linux

- cons: will impact users who do use Guix and compile Linux kernel

them selves

Solution 3: Handle in Guix configuration. Everything below related

to solution 3.

Currently it is set as folowing:

;; gnu/services/sysctl.scm

(define-module ....

#:export (....

%default-sysctl-settings)

(define %default-sysctl-settings

;; Default kernel parameters enabled with sysctl.

'(("fs.protected_hardlinks" . "1")

("fs.protected_symlinks" . "1")))

(define-record-type* <sysctl-configuration>

sysctl-configuration make-sysctl-configuration

sysctl-configuration?

(sysctl sysctl-configuration-sysctl ; path of the 'sysctl'

command

(default (file-append procps "/sbin/sysctl")))

(settings sysctl-configuration-settings ; alist of string pairs

(default %default-sysctl-settings)))

;; ends- gnu/services/sysctl.scm

And sysctl-service-type it self is added to the

%base-services. Since sysctl-configuration-settings function to

access settings field of sysctl-configuration instance is not

exported, I have to do the following in my configuration:

(define nomad-gx1-os

(operating-system

(inherit my-base-nomad-os) ;; important line-#1

...

(services

(modify-services my-base-nomad-services

(sysctl-service-type config =>

(inherit config)

(settings

(append

%default-sysctl-settings ;; from

gnu/services/sysctl.scm

'(("fs.inotify.max_user_watches" . "524288")

("fs.inotify.max_user_instances" . "16384")

("fs.inotify.max_queued_events" . "65536")))))))))

This is fine, until I extend sysctl-service-type in

my-base-nomad-os. Then I have to export

my-base-nomad-sysctl-settings and join them with

%default-sysctl-settings and extra settings for

nomad-gx1-os. While it is bearable for one or two levels of

inheritance, it becomes hard to keep track for more levels and/or

many hosts.

If sysctl-configuration-settings would be exported as per #47323,

then my configuration would become simplier:

(services

(modify-services my-base-nomad-services

(sysctl-service-type config =>

(inherit config)

(settings

(append

(sysctl-configuration-settings config) ;; now I can't

do this

'(("fs.inotify.max_user_watches" . "524288")

("fs.inotify.max_user_instances" . "16384")

("fs.inotify.max_queued_events" . "65536")))))))))

In this case, if Guix documentation will include

sysctl-configuration-settings, then most likely people won't

forget use %default-sysctl-settings, and it is still possible to

override them if one desires not to use protected symlinks and

hardlinks.

As per discussion with Leo on IRC #guix.

There is a need to have important sysctl settings

fs.protected_hardlinks and fs.protected_symlinks for all

installations of Guix in the world unless explicitly stated

otherwise. Currently in Linux kernel they are unset by default. It

is also stated that other distributions do the same.

In perfect world I would go for Solution 1 below, as it is most

effectful, and clean.

Solution 1: From this statement, it seems that the first resort

whould be Linux kernel it self. If it would be possible to

configure them with Kconfig, that would be best place. As of my

brief look at linux/fs, they are not configurable, but may be I

miss somthing. Any way preferred solution would be just compile

kernel with protected hardlinks and symlinks set to 1. Since other

distributions do the same, it could be reasonable to expose these

two settings via Kconfig, and solve it there.

- pros: great for the world

- cons: have to do enhancement in mainline Linux

Solution 2: If it is not possible to have these two settings in

kernel as per Solution 1, Guix may maintain a patch to kernel that

would do this.

- pros: no need to enhance mainline Linux

- cons: will impact users who do use Guix and compile Linux kernel

them selves

Solution 3: Handle in Guix configuration. Everything below related

to solution 3.

Currently it is set as folowing:

;; gnu/services/sysctl.scm

(define-module ....

#:export (....

%default-sysctl-settings)

(define %default-sysctl-settings

;; Default kernel parameters enabled with sysctl.

'(("fs.protected_hardlinks" . "1")

("fs.protected_symlinks" . "1")))

(define-record-type* <sysctl-configuration>

sysctl-configuration make-sysctl-configuration

sysctl-configuration?

(sysctl sysctl-configuration-sysctl ; path of the 'sysctl'

command

(default (file-append procps "/sbin/sysctl")))

(settings sysctl-configuration-settings ; alist of string pairs

(default %default-sysctl-settings)))

;; ends- gnu/services/sysctl.scm

And sysctl-service-type it self is added to the

%base-services. Since sysctl-configuration-settings function to

access settings field of sysctl-configuration instance is not

exported, I have to do the following in my configuration:

(define nomad-gx1-os

(operating-system

(inherit my-base-nomad-os) ;; important line-#1

...

(services

(modify-services my-base-nomad-services

(sysctl-service-type config =>

(inherit config)

(settings

(append

%default-sysctl-settings ;; from

gnu/services/sysctl.scm

'(("fs.inotify.max_user_watches" . "524288")

("fs.inotify.max_user_instances" . "16384")

("fs.inotify.max_queued_events" . "65536")))))))))

This is fine, until I extend sysctl-service-type in

my-base-nomad-os. Then I have to export

my-base-nomad-sysctl-settings and join them with

%default-sysctl-settings and extra settings for

nomad-gx1-os. While it is bearable for one or two levels of

inheritance, it becomes hard to keep track for more levels and/or

many hosts.

If sysctl-configuration-settings would be exported as per #47323,

then my configuration would become simplier:

(services

(modify-services my-base-nomad-services

(sysctl-service-type config =>

(inherit config)

(settings

(append

(sysctl-configuration-settings config) ;; now I can't

do this

'(("fs.inotify.max_user_watches" . "524288")

("fs.inotify.max_user_instances" . "16384")

("fs.inotify.max_queued_events" . "65536")))))))))

In this case, if Guix documentation will include

sysctl-configuration-settings, then most likely people won't

forget use %default-sysctl-settings, and it is still possible to

override them if one desires not to use protected symlinks and

hardlinks.

--

muradm