GNU bug report logs - #54997
[PATCH 00/12] Add "least authority" program wrapper

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Sun, 17 Apr 2022 21:02:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #104 received at 54997 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: 54997 <at> debbugs.gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>
Subject: [PATCH v2 00/15] Add "least authority" program wrapper
Date: Wed, 27 Apr 2022 18:56:20 +0200

Hi!

Changes since v1:

  • Add ‘delete-duplicates’ call in ‘references-file’.

  • Work around unreliable signal delivery in Guile (note that
    this is not a new problem; I just happened to notice it).
    This part is unsatisfactory.  The solution in the Shepherd is
    signalfd(2) on GNU/Linux, but using it requires quite a bit
    of infrastructure.

  • New #:child-is-pid1? parameter for ‘call-with-container’, set
    to #false by ‘least-authority-wrapper’.  This is probably
    overkill for most cases (daemons that, unlike Jenkins, don’t
    run arbitrary user scripts are unlikely to leave zombies
    behind them), but safer.

  • Converted opendht service to ‘least-authority-wrapper’.

I think it’s good to go.

Thoughts?

Thanks,
Ludo’.

Ludovic Courtès (15):
  gexp: Add 'references-file'.
  file-systems: Avoid load-time warnings when attempting to load (guix
    store).
  linux-container: 'call-with-container' relays SIGTERM and SIGINT.
  linux-container: Ensure signal-handling asyncs get a chance to run.
  linux-container: Add #:child-is-pid1? parameter to
    'call-with-container'.
  Add (guix least-authority).
  services: dicod: Rewrite using 'least-authority-wrapper'.
  services: dicod: Use 'make-inetd-constructor'.
  services: bitlbee: Use 'make-inetd-constructor'.
  services: ipfs: Adjust for Shepherd 0.9.
  services: ipfs: Use 'least-authority-wrapper'.
  services: wesnothd: Grant write access to /var/run/wesnothd.
  services: wesnothd: Use 'least-authority-wrapper'.
  services: quassel: Use 'least-authority-wrapper'.
  services: opendht: Use 'least-authority-wrapper'.

 Makefile.am                   |   1 +
 gnu/build/linux-container.scm |  78 +++++++++++++++--
 gnu/build/shepherd.scm        |   3 +-
 gnu/services/base.scm         |  22 -----
 gnu/services/dict.scm         |  61 ++++++++-----
 gnu/services/games.scm        |  33 +++++--
 gnu/services/messaging.scm    | 105 ++++++++++++++--------
 gnu/services/networking.scm   | 158 +++++++++++++++++-----------------
 gnu/system/file-systems.scm   |   5 +-
 gnu/tests/messaging.scm       |  21 +----
 guix/gexp.scm                 |  44 ++++++++++
 guix/least-authority.scm      | 135 +++++++++++++++++++++++++++++
 tests/gexp.scm                |  18 ++++
 13 files changed, 491 insertions(+), 193 deletions(-)
 create mode 100644 guix/least-authority.scm


base-commit: 950f3e4f98add14f645dc4c9f8c512cac7b8a779
-- 
2.35.1
This bug report was last modified 3 years and 72 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.