GNU bug report logs - #77638
[PATCH 0/8] Harden 'call-with-container'

Previous Next

Package: guix-patches;

Reported by: Ludovic Courtès <ludo <at> gnu.org>

Date: Tue, 8 Apr 2025 12:23:02 UTC

Severity: normal

Tags: patch

Done: Ludovic Courtès <ludo <at> gnu.org>

Bug is archived. No further changes may be made.

Full log

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: guix-patches <at> gnu.org
Cc: Ludovic Courtès <ludo <at> gnu.org>
Subject: [PATCH 0/8] Harden 'call-with-container'
Date: Tue,  8 Apr 2025 14:22:06 +0200

Hello Guix,

This patch series hardens ‘call-with-container’, largely inspired by the
discussions had while working on the unprivileged daemon.  This depends
on <https://issues.guix.gnu.org/77288> for ‘unshare’.

My main test was:

  make check TESTS="tests/containers.scm tests/guix-home.sh tests/guix-environment-container.sh"

… which catches most issues.

I also manually tested ‘least-authority-wrapper’.  I did not test
‘guix system container’.

Note the incompatible change in ‘guix shell -C’, where the root is now
read-only by default (it was indirectly documented as being writable
before).  I think it’s an acceptable change, but we can discuss.  :-)

Thoughts?

Ludo’.

Ludovic Courtès (8):
  linux-container: Add #:mounts to ‘eval/container’.
  guix home: ‘container’ explicitly mounts $HOME and /run/user/1000.
  linux-container: Support having a read-only root file system.
  guix home: ‘container’ provides a read-only root file system.
  environment: Add ‘--writable-root’ and default to read-only root.
  syscalls: Add ‘get-user-ns’.
  linux-container: Set up “lo” and generate /etc/hosts by default.
  linux-container: Lock mounts by default.

 doc/guix.texi                       |   7 +-
 gnu/build/linux-container.scm       | 172 +++++++++++++++++++++-------
 gnu/system/linux-container.scm      |  31 +++--
 guix/build/syscalls.scm             |  14 +++
 guix/scripts/environment.scm        | 100 ++++++++--------
 guix/scripts/home.scm               |  92 +++++++--------
 tests/containers.scm                |  59 +++++++++-
 tests/guix-environment-container.sh |  11 +-
 tests/guix-home.sh                  |   3 +-
 9 files changed, 336 insertions(+), 153 deletions(-)


base-commit: b94cf86a89ef0a6bf7ec2c8e52f64c5107888f55
-- 
2.49.0
This bug report was last modified 64 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.