mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2025-01-11 13:49:23 -05:00
services: tor: Switch to 'least-authority-wrapper'.
* gnu/services/networking.scm (tor-configuration->torrc): Remove "User" and "PidFile". (tor-shepherd-service): Use 'least-authority-wrapper' and 'make-forkexec-constructor' instead of 'make-forkexec-constructor/container'.
This commit is contained in:
Ludovic Courtès
parent
f0acb12db9
commit
fb868cd779
1 changed files with 28 additions and 19 deletions
|
|
@ -918,9 +918,7 @@ (define (tor-configuration->torrc config)
|
||||||
(lambda (port)
|
(lambda (port)
|
||||||
(display "\
|
(display "\
|
||||||
### These lines were generated from your system configuration:
|
### These lines were generated from your system configuration:
|
||||||
User tor
|
|
||||||
DataDirectory /var/lib/tor
|
DataDirectory /var/lib/tor
|
||||||
PidFile /var/run/tor/tor.pid
|
|
||||||
Log notice syslog\n" port)
|
Log notice syslog\n" port)
|
||||||
(when (eq? 'unix '#$socks-socket-type)
|
(when (eq? 'unix '#$socks-socket-type)
|
||||||
(display "\
|
(display "\
|
||||||
|
|
@ -960,7 +958,25 @@ (define (tor-shepherd-service config)
|
||||||
"Return a <shepherd-service> running Tor."
|
"Return a <shepherd-service> running Tor."
|
||||||
(match config
|
(match config
|
||||||
(($ <tor-configuration> tor)
|
(($ <tor-configuration> tor)
|
||||||
(let ((torrc (tor-configuration->torrc config)))
|
(let* ((torrc (tor-configuration->torrc config))
|
||||||
|
(tor (least-authority-wrapper
|
||||||
|
(file-append tor "/bin/tor")
|
||||||
|
#:name "tor"
|
||||||
|
#:mappings (list (file-system-mapping
|
||||||
|
(source "/var/lib/tor")
|
||||||
|
(target source)
|
||||||
|
(writable? #t))
|
||||||
|
(file-system-mapping
|
||||||
|
(source "/dev/log") ;for syslog
|
||||||
|
(target source))
|
||||||
|
(file-system-mapping
|
||||||
|
(source "/var/run/tor")
|
||||||
|
(target source)
|
||||||
|
(writable? #t))
|
||||||
|
(file-system-mapping
|
||||||
|
(source torrc)
|
||||||
|
(target source)))
|
||||||
|
#:namespaces (delq 'net %namespaces))))
|
||||||
(with-imported-modules (source-module-closure
|
(with-imported-modules (source-module-closure
|
||||||
'((gnu build shepherd)
|
'((gnu build shepherd)
|
||||||
(gnu system file-systems)))
|
(gnu system file-systems)))
|
||||||
|
|
@ -974,22 +990,15 @@ (define (tor-shepherd-service config)
|
||||||
(modules '((gnu build shepherd)
|
(modules '((gnu build shepherd)
|
||||||
(gnu system file-systems)))
|
(gnu system file-systems)))
|
||||||
|
|
||||||
(start #~(make-forkexec-constructor/container
|
;; XXX: #:pid-file won't work because the wrapped 'tor'
|
||||||
(list #$(file-append tor "/bin/tor") "-f" #$torrc)
|
;; program would print its PID within the user namespace
|
||||||
|
;; instead of its actual PID outside. There's no inetd or
|
||||||
#:log-file "/var/log/tor.log"
|
;; systemd socket activation support either (there's
|
||||||
#:mappings (list (file-system-mapping
|
;; 'sd_notify' though), so we're stuck with that.
|
||||||
(source "/var/lib/tor")
|
(start #~(make-forkexec-constructor
|
||||||
(target source)
|
(list #$tor "-f" #$torrc)
|
||||||
(writable? #t))
|
#:user "tor" #:group "tor"
|
||||||
(file-system-mapping
|
#:log-file "/var/log/tor.log"))
|
||||||
(source "/dev/log") ;for syslog
|
|
||||||
(target source))
|
|
||||||
(file-system-mapping
|
|
||||||
(source "/var/run/tor")
|
|
||||||
(target source)
|
|
||||||
(writable? #t)))
|
|
||||||
#:pid-file "/var/run/tor/tor.pid"))
|
|
||||||
(stop #~(make-kill-destructor))
|
(stop #~(make-kill-destructor))
|
||||||
(documentation "Run the Tor anonymous network overlay."))))))))
|
(documentation "Run the Tor anonymous network overlay."))))))))
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue