From 898489f48e436e45e86e1ba0fcdb6df5cd5a051a Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Tue, 16 Mar 2021 21:36:36 -0400 Subject: services: Enable "protected hardlinks" and "protected symlinks" by default. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit References: https://sysctl-explorer.net/fs/protected_hardlinks/ https://sysctl-explorer.net/fs/protected_symlinks/ * gnu/services/sysctl.scm (%default-sysctl-settings): New public variable. (): Use %default-sysctl-settings as the default value. * gnu/services/base.scm (%base-services): Add sysctl-service-type. * doc/guix.texi (Miscellaneous Services): Document the new defaults. Signed-off-by: Ludovic Courtès --- gnu/services/sysctl.scm | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'gnu/services/sysctl.scm') diff --git a/gnu/services/sysctl.scm b/gnu/services/sysctl.scm index eb7a61b2a9d..aaea7cc30dc 100644 --- a/gnu/services/sysctl.scm +++ b/gnu/services/sysctl.scm @@ -25,20 +25,26 @@ #:use-module (srfi srfi-1) #:use-module (ice-9 match) #:export (sysctl-configuration - sysctl-service-type)) + sysctl-service-type + %default-sysctl-settings)) ;;; ;;; System Control Service. ;;; +(define %default-sysctl-settings + ;; Default kernel parameters enabled with sysctl. + '(("fs.protected_hardlinks" . "1") + ("fs.protected_symlinks" . "1"))) + (define-record-type* sysctl-configuration make-sysctl-configuration sysctl-configuration? (sysctl sysctl-configuration-sysctl ; path of the 'sysctl' command (default (file-append procps "/sbin/sysctl"))) (settings sysctl-configuration-settings ; alist of string pairs - (default '()))) + (default %default-sysctl-settings))) (define (sysctl-configuration-settings->sysctl.conf settings) "Return a file for @command{sysctl} to set kernel parameters as specified by -- cgit v1.3