[bug#61462] Add support for file capabilities(7)

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#61462] Add support for file capabilities(7)

From:	Tobias Geerinckx-Rice
Subject:	[bug#61462] Add support for file capabilities(7)
Date:	Sun, 12 Feb 2023 21:37:54 +0100

Hi Guix,

I need to offload some of my eternally rebased local patches.Here's one that makes it easy to assign capabilities(7) —currently through setcap(8) — to programmes like we canset{u,g}id.


There are many packages that benefit from this.  Mine are:

 (privileged-programs
   (cons* (privileged-program
           (file-append mtr "/sbin/mtr")
           (capabilities "cap_net_raw+ep"))
          (privileged-program
           (file-append nethogs "/sbin/nethogs")
           (capabilities "cap_net_admin,cap_new_raw+ep"))
          (privileged-program
           (file-append light "/bin/light")
           (setuid? #t))
          %default-privileged-programs))

The set's over a year old and needs a bit of love. Some detailsmight have bitrot, I probably forgot a to-do or two in that year,and there's something unguixy about calling setcap(8) instead ofwriting a completely new Guile binding/module :-)

I'm quite opinionated about the setuid-programs unification: thereshould not be multiple confusing and masking layers of privilege,and it should be possible to setgid a capable executable.


Kind regards,

T G-R

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#61462] Add support for file capabilities(7), Tobias Geerinckx-Rice <=
- [bug#61462] [PATCH 01/10] system: Disallow file-like setuid-programs., Tobias Geerinckx-Rice, 2023/02/12
  - [bug#61462] [PATCH 02/10] services: setuid-program: Populate /run/privileged/bin., Tobias Geerinckx-Rice, 2023/02/12
  - [bug#61462] [PATCH 04/10] gnu: Replace (almost) all uses of /run/setuid-programs., Tobias Geerinckx-Rice, 2023/02/12
  - [bug#61462] [PATCH 06/10] system: (gnu system setuid) wraps (gnu system privilege)., Tobias Geerinckx-Rice, 2023/02/12
  - [bug#61462] [PATCH 03/10] system: Use /run/privileged/bin in search paths., Tobias Geerinckx-Rice, 2023/02/12
  - [bug#61462] [PATCH 09/10] system: Use privileged-program-service-type by default., Tobias Geerinckx-Rice, 2023/02/12
  - [bug#61462] [PATCH 08/10] services: Rename setuid-program-service-type., Tobias Geerinckx-Rice, 2023/02/12
  - [bug#61462] [PATCH 07/10] build: Rename activate-setuid-programs., Tobias Geerinckx-Rice, 2023/02/12
  - [bug#61462] [PATCH 05/10] system: Add (gnu system privilege)., Tobias Geerinckx-Rice, 2023/02/12
  - [bug#61462] [PATCH 10/10] system: Add privileged-programs to <operating-system>., Tobias Geerinckx-Rice, 2023/02/12

Prev by Date: [bug#61214] [PATCH guix-artwork] website: posts: Add Dissecting Guix, Part 2: The Store Monad.
Next by Date: [bug#61462] [PATCH 01/10] system: Disallow file-like setuid-programs.
Previous by thread: [bug#61461] [PATCH core-updates] gnu: jemalloc: Build with THP support on aarch64.
Next by thread: [bug#61462] [PATCH 01/10] system: Disallow file-like setuid-programs.
Index(es):
- Date
- Thread