References: <92c75e4d057966fdf586b34e34d8b43a7361e006.1743695029.git.roman@burningswell.com>
	<2788a4ea937715053ca7210a52ed0be3976fd0b6.1743695029.git.roman@burningswell.com>
	<87h62zz9hs.fsf@gmail.com>
User-Agent: mu4e 1.12.9; emacs 29.4
Hi Maxim,

Date: Wed, 09 Apr 2025 19:31:06 +0200

Maxim Cournoyer <maxim.cournoyer@gmail.com> writes:

> Hi,
>
> Roman Scherer <roman@burningswell.com> writes:
>
>> * gnu/services/sound.scm (speakersafetyd): Run as unprivileged user.
>> * doc/guix.texi: Document user and group fields.
>>
>> Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2
>
> [...]
>
>> +(define speakersafetyd-accounts
>> +  (match-record-lambda <speakersafetyd-configuration>
>> +      ( blackbox-directory configuration-directory group
>> +        maximum-gain-reduction speakersafetyd user)
>
> You don't need to list all the fields when using match-record, and I
> assume match-record-lambda as well.  Here only `group' and `user'
> appears useful.
>
>> +    (list (user-group
>> +           (name group)
>> +           (system? #t))
>> +          (user-account
>> +           (name user)
>> +           (group group)
>> +           (system? #t)
>> +           (home-directory "/var/empty")
>> +           (shell (file-append shadow "/sbin/nologin"))
>> +           (supplementary-groups '("audio"))))))
>> +
>> +(define speakersafetyd-activation
>> +  (match-record-lambda <speakersafetyd-configuration>
>> +      ( blackbox-directory configuration-directory group
>> +        maximum-gain-reduction speakersafetyd user)
>
> Likewise.
>
>> +    (with-imported-modules (source-module-closure '((gnu build activation)))
>> +      #~(begin
>> +          (use-modules (gnu build activation))
>> +          (let ((user (getpwnam #$user)))
>> +            (mkdir-p/perms "/run/speakersafetyd" user #o755)
>> +            (mkdir-p/perms "/var/lib/speakersafetyd" user #o755)
>> +            ;; Blackbox files contain audio recordings and might be sensitive
>> +            ;; information
>> +            (mkdir-p/perms #$blackbox-directory user #o700))))))
>>
>>  (define speakersafetyd-shepherd-service
>>    (match-record-lambda <speakersafetyd-configuration>
>> -      (blackbox-directory configuration-directory maximum-gain-reduction speakersafetyd)
>> +      ( blackbox-directory configuration-directory group
>> +        maximum-gain-reduction speakersafetyd user)
>>      (shepherd-service
>>       (documentation "Run the speaker safety daemon")
>>       (provision '(speakersafetyd))
>> @@ -306,7 +344,10 @@ (define speakersafetyd-shepherd-service
>>                 (list #$(file-append speakersafetyd "/bin/speakersafetyd")
>>                       "--config-path" #$configuration-directory
>>                       "--blackbox-path" #$blackbox-directory
>> -                     "--max-reduction" (number->string #$maximum-gain-reduction))))
>> +                     "--max-reduction" (number->string #$maximum-gain-reduction))
>> +               #:group #$group
>> +               #:supplementary-groups '("audio")
>> +               #:user #$user))
>>       (stop #~(make-kill-destructor)))))
>
> Not for a future improvement: we also have a least-authority-wrapper
> defined in (guix least-authority) that can wrap a binary to have it run
> in a Linux container, to further sandbox the process.

Interesting. Didn't know that module. I will take a look.