GNU bug report logs - #78179
[PATCH 0/4] Add wireshark-service-type with privileged wrapper

Previous Next

Package: guix-patches;

Reported by: Rutherther <rutherther <at> ditigal.xyz>

Date: Thu, 1 May 2025 08:28:01 UTC

Severity: normal

Tags: patch

Full log

Message #11 received at 78179 <at> debbugs.gnu.org (full text, mbox):

From: Rutherther <rutherther <at> ditigal.xyz>
To: 78179 <at> debbugs.gnu.org
Cc: Rutherther <rutherther <at> ditigal.xyz>
Subject: [PATCH 2/4] guix: Add (guix build privileged) module.
Date: Thu,  1 May 2025 10:29:35 +0200

Wireshark refers to #$output/bin/dumpcap to start dumpcap. This means it's
problematic to make a service for it that would add dumpcap to privileged
programs.

This procedure introduces a possibility to replace a file in the output with a
script that will try to execute binary in /run/privileged/bin first, and
fallback to the original one from store. This ensures the package works on
both Guix System and foreign distros. The downside is that /run/privileged/bin
will be executed every time, so it would be impossible to test different
versions of the packages. To overcome that, GUIX_SKIP_PRIVILEGED variable is
introduced, and if set, the original dumpcap will be used.

* guix/build/privileged.scm (unwrap): Removes wrapping by wrap-program
* guix/build/privileged.scm (wrap-privileged): Make a shell script for a
program that needs privileges

Change-Id: Ieacd7f2d80c5b6ecba74d9309cb2c5a6d556aa8e
---
 guix/build/privileged.scm | 48 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 guix/build/privileged.scm

diff --git a/guix/build/privileged.scm b/guix/build/privileged.scm
new file mode 100644
index 0000000000..6a456e02c0
--- /dev/null
+++ b/guix/build/privileged.scm
@@ -0,0 +1,48 @@
+(define-module (guix build privileged)
+  #:use-module (gnu build activation)
+  #:use-module (guix build utils)
+  #:use-module (ice-9 format)
+  #:export (wrap-privileged))
+
+;;; Move .xxx-real to xxx, if it exists.
+(define (unwrap binary)
+  (let* ((name (basename binary))
+         (folder (dirname binary))
+         (real (string-append folder "/." name "-real")))
+    (when (file-exists? real)
+      (format #t "Unwrapping ~a~%" binary)
+      (rename-file real binary))))
+
+;;;
+;;; 1. Move {output}/{original} to {output}/{target-folder}/{target-name}.
+;;; 2. Make a script at original-binary that executes /run/privileged/bin/{target-name}
+;;;    if it exists, if not, output/{target-folder}/{target-name} is executed.
+;;;
+(define* (wrap-privileged output
+                          original
+                          target-name
+                          #:key
+                          (unwrap? #t)
+                          (target-folder "privileged")
+                          (privileged-directory %privileged-program-directory))
+  "Make a shell wrapper for binary that should be ran as privileged.
+
+The wrapper script will try executing binary in /run/privileged/bin, if it exists,
+and if not, it will fall back to the original."
+  (let ((original-file (string-append output "/" original))
+        (target-file (string-append output "/" target-folder "/" target-name))
+        (privileged-file (string-append privileged-directory "/" target-name)))
+    (when unwrap?
+      (unwrap original-file))
+    (mkdir-p (dirname target-file))
+    (rename-file original-file target-file)
+    (call-with-output-file original-file
+      (lambda (port)
+        (format port "#!/usr/bin/env bash
+if [[ -z \"$GUIX_SKIP_PRIVILEGED\" && -f \"~a\" ]]; then
+  exec -a \"$0\" \"~a\" \"$@\"
+fi
+
+exec -a \"$0\" \"~a\" \"$@\"
+" privileged-file privileged-file target-file)
+        (chmod port #o555)))))
-- 
2.49.0
This bug report was last modified 46 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.