futurile/guix-play
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

services: hurd-vm: Run QEMU as an unprivileged user.

Browse Source 
Until qemu was running as "root", which is unnecessary.

* gnu/services/virtualization.scm (%hurd-vm-accounts): New variable.
(hurd-vm-service-type)[extensions]: Add ACCOUNT-SERVICE-TYPE extension.
This commit is contained in:
Ludovic Courtès 2020-09-26 16:50:49 +02:00
parent ac324be105
commit d692ebf980
No known key found for this signature in database
GPG Key ID: 090B11993D9AEBB5
1 changed files with 30 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
gnu/services/virtualization.scm
View File

@ -959,28 +959,45 @@ is added to the OS specified in CONFIG."
(with-imported-modules (with-imported-modules
(source-module-closure '((gnu build secret-service) (source-module-closure '((gnu build secret-service)
(guix build utils))) (guix build utils)))
#~(let ((spawn (make-forkexec-constructor #$vm-command))) #~(lambda ()
(lambda _ (let ((pid (fork+exec-command #$vm-command
(let ((pid (spawn)) #:user "childhurd"
(port #$(hurd-vm-port config %hurd-vm-secrets-port)) #:group "childhurd"
(root #$(hurd-vm-configuration-secret-root config))) #:environment-variables
(catch #t ;; QEMU tries to write to /var/tmp
(lambda _ ;; by default.
(secret-service-send-secrets port root)) '("TMPDIR=/tmp")))
(lambda (key . args) (port #$(hurd-vm-port config %hurd-vm-secrets-port))
(kill (- pid) SIGTERM) (root #$(hurd-vm-configuration-secret-root config)))
(apply throw key args))) (catch #t
pid))))) (lambda _
(secret-service-send-secrets port root)
pid)
(lambda (key . args)
(kill (- pid) SIGTERM)
(apply throw key args)))))))
(modules `((gnu build secret-service) (modules `((gnu build secret-service)
(guix build utils) (guix build utils)
,@%default-modules)) ,@%default-modules))
(stop #~(make-kill-destructor)))))) (stop #~(make-kill-destructor))))))
(define %hurd-vm-accounts
(list (user-group (name "childhurd") (system? #t))
(user-account
(name "childhurd")
(group "childhurd")
(comment "Privilege separation user for the childhurd")
(home-directory "/var/empty")
(shell (file-append shadow "/sbin/nologin"))
(system? #t))))
(define hurd-vm-service-type (define hurd-vm-service-type
(service-type (service-type
(name 'hurd-vm) (name 'hurd-vm)
(extensions (list (service-extension shepherd-root-service-type (extensions (list (service-extension shepherd-root-service-type
hurd-vm-shepherd-service))) hurd-vm-shepherd-service)
(service-extension account-service-type
(const %hurd-vm-accounts))))
(default-value (hurd-vm-configuration)) (default-value (hurd-vm-configuration))
(description (description
"Provide a Virtual Machine running the GNU/Hurd."))) "Provide a Virtual Machine running the GNU/Hurd.")))