aboutsummaryrefslogtreecommitdiff
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2021 Brice Waegeneire <brice@waegenei.re>
;;; Copyright © 2022 Tobias Geerinckx-Rice <me@tobias.gr>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu system privilege)
  #:use-module (guix records)
  #:export (privileged-program
            privileged-program?
            privileged-program-program
            privileged-program-setuid?
            privileged-program-setgid?
            privileged-program-user
            privileged-program-group
            privileged-program-capabilities

            file-like->setuid-program))

;;; Commentary:
;;;
;;; Data structures representing privileged programs: binaries with additional
;;; permissions such as setuid/setgid, or POSIX capabilities.  This is meant to
;;; be used both on the host side and at run time--e.g., in activation snippets.
;;;
;;; Code:

(define-record-type* <privileged-program>
  privileged-program make-privileged-program
  privileged-program?
  ;; File name of the program to assign elevated privileges.
  (program       privileged-program-program) ;file-like
  ;; Whether to set the setuid (‘set user ID’) bit.
  (setuid?       privileged-program-setuid? ;boolean
                 (default #f))
  ;; Whether to set the setgid (‘set group ID’) bit.
  (setgid?       privileged-program-setgid? ;boolean
                 (default #f))
  ;; The user name or ID this should be set to (defaults to root's).
  (user          privileged-program-user ;integer or string
                 (default 0))
  ;; The group name or ID we want to set this to (defaults to root's).
  (group         privileged-program-group ;integer or string
                 (default 0))
  ;; POSIX capabilities in cap_from_text(3) form (defaults to #f: none).
  (capabilities  privileged-program-capabilities ;string or #f
                 (default #f)))

(define (file-like->setuid-program program)
  "Simple wrapper to facilitate MAPping over a list of file-like objects and
make them setuid, a pattern just common enough to justify a special helper."
  (privileged-program (program program)
                      (setuid? #t)))
generated by cgit
(test-requires.txt): Include a test section in the test-requires.txt data. (test-requires.txt-beaker): New variable. ("parse-requires.txt"): Adapt. ("parse-requires.txt - Beaker"): New test. ("parse-wheel-metadata, with extras"): Adapt. ("parse-wheel-metadata, with extras - Jedi"): Adapt. ("pypi->guix-package, no wheel"): Re-indent, and add the expected native-inputs. ("pypi->guix-package, wheels"): Likewise. Maxim Cournoyer 2019-07-02import: pypi: Parse wheel METADATA instead of metadata.json....With newer Wheel releases, there is no more metadata.json file; the METADATA file should be used instead (see: https://github.com/pypa/wheel/issues/195). This change updates our PyPI importer so that it uses the latter. * guix/import/pypi.scm (define-module): Remove unnecessary modules and export the PARSE-WHEEL-METADATA procedure. (parse-wheel-metadata): Add procedure. (guess-requirements): Use it. * tests/pypi.scm (test-metadata): Test it. Maxim Cournoyer 2019-07-02import: pypi: Support more types of archives....This change enables the PyPI importer to look for requirements in a source archive of a different type than "tar.gz" or "tar.bz2". Also, scan the source archive to find a requires.txt file. * guix/import/pypi.scm: (guess-requirements)[tarball-directory]: Remove procedure. [guess-requirements-from-source]: Use COMRESSED-FILE? to determine if an archive type is supported, and some file extension logic that chooses either "tar" or "unzip" as the extractor. Search for the requires.txt file in the archive instead of using a static, expected location. (guess-requirements): Rename the TARBALL argument to ARCHIVE, to denote the archive format is no longer bound specifically to the Tar format. (compute-inputs): Likewise. * tests/pypi.scm ("pypi->guix-package, no wheel"): Mock the requires.txt at a non-standard location. ("pypi->guix-package, no usable requirement file."): New test. Maxim Cournoyer 2019-07-02import: pypi: Improve parsing of requirement specifications....The previous solution was fragile and could leave unwanted characters in a requirement name, such as '[' or ']'. Partially fixes <https://bugs.gnu.org/33047>. * guix/import/pypi.scm (use-modules): Export SPECIFICATION->REQUIREMENT-NAME (%requirement-name-regexp): New variable. (clean-requirement): Rename to... (specification->requirement-name): this, which now uses %requirement-name-regexp to select the requirement name from the requirement specification. (parse-requires.txt): Adapt. Maxim Cournoyer 2019-07-02import: pypi: Do not parse optional requirements from source....* guix/import/pypi.scm: Export PARSE-REQUIRES.TXT. (clean-requirement): Move procedure to the top level. (guess-requirements): Move the READ-REQUIREMENTS procedure to the top level, and rename it to PARSE-REQUIRES.TXT. Move the CLEAN-REQUIREMENT procedure to the top level. Move the COMMENT? functions inside the PARSE-REQUIRES.TXT procedure. (parse-requires.txt): Add a SECTION-HEADER? predicate, and use it to prevent parsing optional requirements. * tests/pypi.scm (test-requires-with-sections): New variable. ("parse-requires.txt, with sections"): New test. Maxim Cournoyer 2019-07-02tests: pypi: Mute the output of tar....The output of tar when creating archives for the purpose of tests is not useful, so we mute it. * tests/pypi.scm ("pypi->guix-package"): Mute the output of tar. ("pypi->guix-package, wheels"): Likewise. Maxim Cournoyer 2019-07-02import: pypi: Do not consider requirements.txt files....PyPI packages are mandated to have a setup.py file, which contains a listing of the required dependencies. The setuptools/distutils machinery embed metadata in the archives they produce, which contains this information. There is no need nor gain to collect the requirements from a "requirements.txt" file, as it is not the true record of dependencies for PyPI packages and may contain extraneous requirements or not exist at all. * guix/import/pypi.scm (guess-requirements): Update comment. [guess-requirements-from-source]: Do not attempt to parse the file requirements.txt. Streamline logic. * tests/pypi.scm (test-requires.txt): Rename from test-requirements, to hint at the file being tested. ("pypi->guix-package"): Adapt so that the fake package contains a requires.txt file rather than a requirements.txt file. ("pypi->guix-package, wheels"): Likewise. Maxim Cournoyer 2018-10-18gnu: Use pypi.org....<pypi.io> redirects to <pypi.org>. * guix/build-system/python.scm (pypi-uri): Replace pypi.io with pypi.org. * guix/import/pypi.scm (pypi-url?): Likewise. * tests/pypi.scm: Likewise. Leo Famulari 2018-09-04Switch to Guile-Gcrypt....This removes (guix hash) and (guix pk-crypto), which now live as part of Guile-Gcrypt (version 0.1.0.) * guix/gcrypt.scm, guix/hash.scm, guix/pk-crypto.scm, tests/hash.scm, tests/pk-crypto.scm: Remove. * configure.ac: Test for Guile-Gcrypt. Remove LIBGCRYPT and LIBGCRYPT_LIBDIR assignments. * m4/guix.m4 (GUIX_ASSERT_LIBGCRYPT_USABLE): Remove. * README: Add Guile-Gcrypt to the dependencies; move libgcrypt as "required unless --disable-daemon". * doc/guix.texi (Requirements): Likewise. * gnu/packages/bash.scm, guix/derivations.scm, guix/docker.scm, guix/git.scm, guix/http-client.scm, guix/import/cpan.scm, guix/import/cran.scm, guix/import/crate.scm, guix/import/elpa.scm, guix/import/gnu.scm, guix/import/hackage.scm, guix/import/texlive.scm, guix/import/utils.scm, guix/nar.scm, guix/pki.scm, guix/scripts/archive.scm, guix/scripts/authenticate.scm, guix/scripts/download.scm, guix/scripts/hash.scm, guix/scripts/pack.scm, guix/scripts/publish.scm, guix/scripts/refresh.scm, guix/scripts/substitute.scm, guix/store.scm, guix/store/deduplication.scm, guix/tests.scm, tests/base32.scm, tests/builders.scm, tests/challenge.scm, tests/cpan.scm, tests/crate.scm, tests/derivations.scm, tests/gem.scm, tests/nar.scm, tests/opam.scm, tests/pki.scm, tests/publish.scm, tests/pypi.scm, tests/store-deduplication.scm, tests/store.scm, tests/substitute.scm: Adjust imports. * gnu/system/vm.scm: Likewise. (guile-sqlite3&co): Rename to... (gcrypt-sqlite3&co): ... this. Add GUILE-GCRYPT. (expression->derivation-in-linux-vm)[config]: Remove. (iso9660-image)[config]: Remove. (qemu-image)[config]: Remove. (system-docker-image)[config]: Remove. * guix/scripts/pack.scm: Adjust imports. (guile-sqlite3&co): Rename to... (gcrypt-sqlite3&co): ... this. Add GUILE-GCRYPT. (self-contained-tarball)[build]: Call 'make-config.scm' without #:libgcrypt argument. (squashfs-image)[libgcrypt]: Remove. [build]: Call 'make-config.scm' without #:libgcrypt. (docker-image)[config, json]: Remove. [build]: Add GUILE-GCRYPT to the extensions Remove (guix config) from the imported modules. * guix/self.scm (specification->package): Remove "libgcrypt", add "guile-gcrypt". (compiled-guix): Remove #:libgcrypt. [guile-gcrypt]: New variable. [dependencies]: Add it. [*core-modules*]: Remove #:libgcrypt from 'make-config.scm' call. Add #:extensions. [*config*]: Remove #:libgcrypt from 'make-config.scm' call. (%dependency-variables): Remove %libgcrypt. (make-config.scm): Remove #:libgcrypt. * build-aux/build-self.scm (guile-gcrypt): New variable. (make-config.scm): Remove #:libgcrypt. (build-program)[fake-gcrypt-hash]: New variable. Add (gcrypt hash) to the imported modules. Adjust load path assignments. * gnu/packages/package-management.scm (guix)[propagated-inputs]: Add GUILE-GCRYPT. [arguments]: In 'wrap-program' phase, add GUILE-GCRYPT to the search path. Ludovic Courtès 2018-07-24import: PyPI: Update redirected URL....* guix/import/pypi.scm (guix-package->pypi-name, pypi->guix-package): Update docstrings. (pypi-package?): Test for pypi.org, too. (pypi-fetch): s/pypi.python.org/pypi.org/ * tests/pypi.scm ("guix-package->pypi-name, new URL style", "pypi->guix-package", "pypi->guix-package, wheels"): Likewise. Marius Bakke 2017-06-18import: pypi: Adjust URIs in tests....This is a followup to d1e7ca2df8c0e0dd601079c77f67ba6828cec08a. * tests/pypi.scm ("pypi->guix-package") ("pypi->guix-package, wheels"): Expect (pypi-uri "foo" version) for the 'uri' field. Ludovic Courtès 2017-02-13tests: Adjust for 'http-fetch' change in (guix import json)....This is a followup to commit 81e0bc1834490a1a8092c75a0733b15c2b407285. * tests/cpan.scm ("cpan->guix-package"): Add a 'rest' argument to the lambda that mocks 'http-fetch'. * tests/crate.scm ("crate->guix-package"): Likewise. * tests/gem.scm ("gem->guix-package"): Likewise. * tests/pypi.scm ("pypi->guix-package"): Likewise. ("pypi->guix-package, wheels"): Likewise. Ludovic Courtès 2017-02-08import: pypi: Correctly handle multiple-URL origins....Fixes <https://bugs.gnu.org/25635>. Reported by Sergei Trofimovich <slyfox@inbox.ru>. * guix/import/pypi.scm (guix-package->pypi-name)[url->pypi-name]: New procedure. Rewrite body to match lists in addition to strings. * tests/pypi.scm ("guix-package->pypi-name, several URLs"): New test. Ludovic Courtès 2017-01-28tests: Adjust pypi test to recent importer change....This is a followup to 2f977d92d3ae517788d3dee98f63680ca149aa1a. * tests/pypi.scm ("pypi->guix-package"): Don't expect 'python-setuptools' in 'propagated-inputs'. ("pypi->guix-package, wheels"): Likewise. Signed-off-by: Ludovic Courtès <ludo@gnu.org> Carlo Zancanaro 2016-12-18tests: Mock up http-fetch in import test....This is a follow-up to commit 63773200d7ac68fcaee6efd9ffe8ea7aa3fafa38. * tests/pypi.scm ("pypi->guix-package, wheels"): Add mock definition of "http-fetch". Ricardo Wurmus 2016-12-18tests: Mock up http-fetch in import tests....This is a follow-up to commit 63773200d7ac68fcaee6efd9ffe8ea7aa3fafa38. * tests/gem.scm ("gem->guix-package"): Replace mock definition of "url-fetch" with "http-fetch". * tests/pypi.scm ("pypi->guix-package"): Add mock definition of "http-fetch". Ricardo Wurmus 2016-10-27tests: Adjust pypi test to recent importer change....This is a followup to b5c347ad3d83ee580c111bd14c80b469b0dcb294. * tests/pypi.scm ("pypi->guix-package"): Expect 'propagated-inputs', not 'inputs'. ("pypi->guix-package, wheels"): Likewise. Ludovic Courtès