services: hurd-vm: Run QEMU as an unprivileged user.
Until qemu was running as "root", which is unnecessary. * gnu/services/virtualization.scm (%hurd-vm-accounts): New variable. (hurd-vm-service-type)[extensions]: Add ACCOUNT-SERVICE-TYPE extension.
This commit is contained in:
Ludovic Courtès
parent
ac324be105
commit
d692ebf980
1 changed files with 30 additions and 13 deletions
|
|
@ -959,28 +959,45 @@ is added to the OS specified in CONFIG."
|
||||||
(with-imported-modules
|
(with-imported-modules
|
||||||
(source-module-closure '((gnu build secret-service)
|
(source-module-closure '((gnu build secret-service)
|
||||||
(guix build utils)))
|
(guix build utils)))
|
||||||
#~(let ((spawn (make-forkexec-constructor #$vm-command)))
|
#~(lambda ()
|
||||||
(lambda _
|
(let ((pid (fork+exec-command #$vm-command
|
||||||
(let ((pid (spawn))
|
#:user "childhurd"
|
||||||
(port #$(hurd-vm-port config %hurd-vm-secrets-port))
|
#:group "childhurd"
|
||||||
(root #$(hurd-vm-configuration-secret-root config)))
|
#:environment-variables
|
||||||
(catch #t
|
;; QEMU tries to write to /var/tmp
|
||||||
(lambda _
|
;; by default.
|
||||||
(secret-service-send-secrets port root))
|
'("TMPDIR=/tmp")))
|
||||||
(lambda (key . args)
|
(port #$(hurd-vm-port config %hurd-vm-secrets-port))
|
||||||
(kill (- pid) SIGTERM)
|
(root #$(hurd-vm-configuration-secret-root config)))
|
||||||
(apply throw key args)))
|
(catch #t
|
||||||
pid)))))
|
(lambda _
|
||||||
|
(secret-service-send-secrets port root)
|
||||||
|
pid)
|
||||||
|
(lambda (key . args)
|
||||||
|
(kill (- pid) SIGTERM)
|
||||||
|
(apply throw key args)))))))
|
||||||
(modules `((gnu build secret-service)
|
(modules `((gnu build secret-service)
|
||||||
(guix build utils)
|
(guix build utils)
|
||||||
,@%default-modules))
|
,@%default-modules))
|
||||||
(stop #~(make-kill-destructor))))))
|
(stop #~(make-kill-destructor))))))
|
||||||
|
|
||||||
|
(define %hurd-vm-accounts
|
||||||
|
(list (user-group (name "childhurd") (system? #t))
|
||||||
|
(user-account
|
||||||
|
(name "childhurd")
|
||||||
|
(group "childhurd")
|
||||||
|
(comment "Privilege separation user for the childhurd")
|
||||||
|
(home-directory "/var/empty")
|
||||||
|
(shell (file-append shadow "/sbin/nologin"))
|
||||||
|
(system? #t))))
|
||||||
|
|
||||||
(define hurd-vm-service-type
|
(define hurd-vm-service-type
|
||||||
(service-type
|
(service-type
|
||||||
(name 'hurd-vm)
|
(name 'hurd-vm)
|
||||||
(extensions (list (service-extension shepherd-root-service-type
|
(extensions (list (service-extension shepherd-root-service-type
|
||||||
hurd-vm-shepherd-service)))
|
hurd-vm-shepherd-service)
|
||||||
|
(service-extension account-service-type
|
||||||
|
(const %hurd-vm-accounts))))
|
||||||
(default-value (hurd-vm-configuration))
|
(default-value (hurd-vm-configuration))
|
||||||
(description
|
(description
|
||||||
"Provide a Virtual Machine running the GNU/Hurd.")))
|
"Provide a Virtual Machine running the GNU/Hurd.")))
|
||||||
|
|
|
||||||
Reference in a new issue