diff options
author | Leo Famulari <leo@famulari.name> | 2021-03-16 21:36:36 -0400 |
---|---|---|
committer | Ludovic Courtès <ludo@gnu.org> | 2021-03-18 12:17:33 +0100 |
commit | 898489f48e436e45e86e1ba0fcdb6df5cd5a051a (patch) | |
tree | c9a100f2a5278eb0dfb629ec092f7f0d707c82a9 | |
parent | 45695cc8a7b56b711baf664ceedaa66124d6de26 (diff) |
services: Enable "protected hardlinks" and "protected symlinks" by default.
References:
https://sysctl-explorer.net/fs/protected_hardlinks/
https://sysctl-explorer.net/fs/protected_symlinks/
* gnu/services/sysctl.scm (%default-sysctl-settings): New public variable.
(<sysctl-configuration>): Use %default-sysctl-settings as the default value.
* gnu/services/base.scm (%base-services): Add sysctl-service-type.
* doc/guix.texi (Miscellaneous Services): Document the new defaults.
Signed-off-by: Ludovic Courtès <ludo@gnu.org>
-rw-r--r-- | doc/guix.texi | 22 | ||||
-rw-r--r-- | gnu/services/base.scm | 3 | ||||
-rw-r--r-- | gnu/services/sysctl.scm | 10 |
3 files changed, 32 insertions, 3 deletions
diff --git a/doc/guix.texi b/doc/guix.texi index 0a70ac7f11..73757be887 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -31378,6 +31378,21 @@ instantiated as: (sysctl-configuration (settings '(("net.ipv4.ip_forward" . "1"))))) @end lisp + +Since @code{sysctl-service-type} is used in the default lists of +services, @code{%base-services} and @code{%desktop-services}, you can +use @code{modify-services} to change its configuration and add the +kernel parameters that you want (@pxref{Service Reference, +@code{modify-services}}). + +@lisp +(modify-services %base-services + (sysctl-service-type config => + (sysctl-configuration + (settings (append '(("net.ipv4.ip_forward" . "1")) + %default-sysctl-settings))))) +@end lisp + @end defvr @deftp {Data Type} sysctl-configuration @@ -31387,11 +31402,16 @@ The data type representing the configuration of @command{sysctl}. @item @code{sysctl} (default: @code{(file-append procps "/sbin/sysctl"}) The @command{sysctl} executable to use. -@item @code{settings} (default: @code{'()}) +@item @code{settings} (default: @code{%default-sysctl-settings}) An association list specifies kernel parameters and their values. @end table @end deftp +@defvr {Scheme Variable} %default-sysctl-settings +An association list specifying the default @command{sysctl} parameters +on Guix System. +@end defvr + @cindex pcscd @subsubheading PC/SC Smart Card Daemon Service diff --git a/gnu/services/base.scm b/gnu/services/base.scm index f6a490f712..f50bcfdcb4 100644 --- a/gnu/services/base.scm +++ b/gnu/services/base.scm @@ -35,6 +35,7 @@ #:use-module (gnu services) #:use-module (gnu services admin) #:use-module (gnu services shepherd) + #:use-module (gnu services sysctl) #:use-module (gnu system pam) #:use-module (gnu system shadow) ; 'user-account', etc. #:use-module (gnu system uuid) @@ -2532,6 +2533,8 @@ to handle." (udev-configuration (rules (list lvm2 fuse alsa-utils crda)))) + (service sysctl-service-type) + (service special-files-service-type `(("/bin/sh" ,(file-append bash "/bin/sh")) ("/usr/bin/env" ,(file-append coreutils "/bin/env")))))) diff --git a/gnu/services/sysctl.scm b/gnu/services/sysctl.scm index eb7a61b2a9..aaea7cc30d 100644 --- a/gnu/services/sysctl.scm +++ b/gnu/services/sysctl.scm @@ -25,20 +25,26 @@ #:use-module (srfi srfi-1) #:use-module (ice-9 match) #:export (sysctl-configuration - sysctl-service-type)) + sysctl-service-type + %default-sysctl-settings)) ;;; ;;; System Control Service. ;;; +(define %default-sysctl-settings + ;; Default kernel parameters enabled with sysctl. + '(("fs.protected_hardlinks" . "1") + ("fs.protected_symlinks" . "1"))) + (define-record-type* <sysctl-configuration> sysctl-configuration make-sysctl-configuration sysctl-configuration? (sysctl sysctl-configuration-sysctl ; path of the 'sysctl' command (default (file-append procps "/sbin/sysctl"))) (settings sysctl-configuration-settings ; alist of string pairs - (default '()))) + (default %default-sysctl-settings))) (define (sysctl-configuration-settings->sysctl.conf settings) "Return a file for @command{sysctl} to set kernel parameters as specified by |