From 71f0676a295841e2cc662eec0d3e9b7e69726035 Mon Sep 17 00:00:00 2001 From: Tobias Geerinckx-Rice Date: Sun, 23 Jul 2023 02:00:00 +0200 Subject: privilege: Add POSIX capabilities(7) support. * gnu/system/privilege.scm (): Add a field representing the program's POSIX capabilities. (privileged-program-capabilities): New public procedure. * doc/guix.texi (Privileged Programs): Document it. * gnu/build/activation.scm (activate-privileged-programs): Take a LIBCAP package argument providing setcap(8) to apply said capabilities. * gnu/services.scm (privileged-program->activation-gexp): Pass said package argument where supported. Include privileged-program-capabilities in the compatibility hack. --- gnu/system/privilege.scm | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'gnu/system') diff --git a/gnu/system/privilege.scm b/gnu/system/privilege.scm index 455a659a12..d89d5d5d1c 100644 --- a/gnu/system/privilege.scm +++ b/gnu/system/privilege.scm @@ -25,13 +25,14 @@ (define-module (gnu system privilege) privileged-program-setuid? privileged-program-setgid? privileged-program-user - privileged-program-group)) + privileged-program-group + privileged-program-capabilities)) ;;; Commentary: ;;; ;;; Data structures representing privileged programs: binaries with additional -;;; permissions such as setuid/setgid. This is meant to be used both on the -;;; host side and at run time--e.g., in activation snippets. +;;; permissions such as setuid/setgid, or POSIX capabilities. This is meant to +;;; be used both on the host side and at run time--e.g., in activation snippets. ;;; ;;; Code: @@ -51,4 +52,7 @@ (define-record-type* (default 0)) ;; The group name or ID we want to set this to (defaults to root's). (group privileged-program-group ;integer or string - (default 0))) + (default 0)) + ;; POSIX capabilities in cap_from_text(3) form (defaults to #f: none). + (capabilities privileged-program-capabilities ;string or #f + (default #f))) -- cgit v1.2.3