services: hurd-vm: Run QEMU as an unprivileged user.

Until qemu was running as "root", which is unnecessary.

* gnu/services/virtualization.scm (%hurd-vm-accounts): New variable.
(hurd-vm-service-type)[extensions]: Add ACCOUNT-SERVICE-TYPE extension.
This commit is contained in:
Ludovic Courtès 2020-09-26 16:50:49 +02:00
parent ac324be105
commit d692ebf980
No known key found for this signature in database
GPG key ID: 090B11993D9AEBB5

View file

@ -959,28 +959,45 @@ (define vm-command
(with-imported-modules (with-imported-modules
(source-module-closure '((gnu build secret-service) (source-module-closure '((gnu build secret-service)
(guix build utils))) (guix build utils)))
#~(let ((spawn (make-forkexec-constructor #$vm-command))) #~(lambda ()
(lambda _ (let ((pid (fork+exec-command #$vm-command
(let ((pid (spawn)) #:user "childhurd"
#:group "childhurd"
#:environment-variables
;; QEMU tries to write to /var/tmp
;; by default.
'("TMPDIR=/tmp")))
(port #$(hurd-vm-port config %hurd-vm-secrets-port)) (port #$(hurd-vm-port config %hurd-vm-secrets-port))
(root #$(hurd-vm-configuration-secret-root config))) (root #$(hurd-vm-configuration-secret-root config)))
(catch #t (catch #t
(lambda _ (lambda _
(secret-service-send-secrets port root)) (secret-service-send-secrets port root)
pid)
(lambda (key . args) (lambda (key . args)
(kill (- pid) SIGTERM) (kill (- pid) SIGTERM)
(apply throw key args))) (apply throw key args)))))))
pid)))))
(modules `((gnu build secret-service) (modules `((gnu build secret-service)
(guix build utils) (guix build utils)
,@%default-modules)) ,@%default-modules))
(stop #~(make-kill-destructor)))))) (stop #~(make-kill-destructor))))))
(define %hurd-vm-accounts
(list (user-group (name "childhurd") (system? #t))
(user-account
(name "childhurd")
(group "childhurd")
(comment "Privilege separation user for the childhurd")
(home-directory "/var/empty")
(shell (file-append shadow "/sbin/nologin"))
(system? #t))))
(define hurd-vm-service-type (define hurd-vm-service-type
(service-type (service-type
(name 'hurd-vm) (name 'hurd-vm)
(extensions (list (service-extension shepherd-root-service-type (extensions (list (service-extension shepherd-root-service-type
hurd-vm-shepherd-service))) hurd-vm-shepherd-service)
(service-extension account-service-type
(const %hurd-vm-accounts))))
(default-value (hurd-vm-configuration)) (default-value (hurd-vm-configuration))
(description (description
"Provide a Virtual Machine running the GNU/Hurd."))) "Provide a Virtual Machine running the GNU/Hurd.")))