GNU bug report logs

#78179 [PATCH 0/4] Add wireshark-service-type with privileged wrapper

Package	Source(s)		Maintainer(s)
guix-patches		PTS Buildd Popcon

Reported by Rutherther <rutherther@ditigal.xyz>
Date 2025-05-01T08:28:01
Severity normal
Tags patch
Done Rutherther <rutherther@ditigal.xyz>

Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to GNUtoo@cyberdimension.org, maxim.cournoyer@gmail.com, guix-patches@gnu.org:
bug#78179; Package guix-patches. (Thu, 01 May 2025 08:28:01 GMT) (full text, mbox, link).

Acknowledgement sent to Rutherther <rutherther@ditigal.xyz>:
New bug report received and forwarded. Copy sent to GNUtoo@cyberdimension.org, maxim.cournoyer@gmail.com, guix-patches@gnu.org. (Thu, 01 May 2025 08:28:02 GMT) (full text, mbox, link).

Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

Hi,

recently I discucced on devel mailing list on the topic of a wireshark service type.
I would like to thank Denis 'GNUtoo' Carikli who helped me a lot in coming to this idea.

# Motivation

The issue with wireshark is that it refers to dumpcap from the bin folder of the output.
That is good usually, but not so with Wireshark as dumpcap needs to run with capabilities,
and the store cannot have binaries with capabilities.
In addition to that, dumpcap was wrapped with gtk wrapping phase, unnecessarily,
this complicates the matter a bit, since interpreted executables cannot get setuid or capabilities.
I think that is still something to look at in the future - wrap-program doesn't work for setuid/capabilities,
maybe it would be good to introduce wrap-program-binary that would make a binary instead for the wrapping,
but it's not topic of this patch series.

# Solution

The solution works like this:
1. #$output/bin/dumpcap is unwrapped (mv #$output/bin/.dumpcap-real #$output/bin/dumpcap)
2. #$output/bin/dumpcap is replaced with a shell script that looks if /run/privileged/bindumpcap exists,
   if it does, it is executed. If it doesn't, the original dumpcap binary is executed. Additionally GUIX_SKIP_PRIVILEGED=1
   will skip the check and start the original binary
3. The original binary is put to #$output/privileged/dumpcap (we can change the folder, but name of the binary is important here for privileged-program - it cannot change name)
4. The service will make privileged program referring to #$output/privileged/dumpcap

# Implementation

I've decided to introduce a new module, (guix build privileged), this module exposes just one function: wrap-privileged.
This function accepts:
- output - output folder of the package (/gnu/store/...-dumpcap-ver)
- original - path to the original binary under the output (bin/dumpcap)
- target-name - name that will end up in #$output/privileged
- #:unwrap - whether to try unwrapping the binary. This has to be #t currently to work properly (#t)
  only binary wrappers would allow for it to be #f.
- #:target-folder - what folder under output to put the target to (privileged)
- #:privileged-directory - where are privileged programs. I've exposed %privileged-program-directory
  from (gnu build activation) (/run/privileged/bin)

This function is then used in a new phase of wireshark wrap-privileged, that is happening
after qt-wrap (so that the binary can be unwrapped).
Additionally I added bash to inputs of wireshark, so that the shebang is patched
(I've decided to let this be handled by the patch-shebang phase rather than passing path to
bash to the wrap-privileged function which would add complexity, unnecessarily imho)

```
(add-after 'qt-wrap 'wrap-dumpcap
  (lambda _
    (wrap-privileged
      #$output
      "bin/dumpcap"
      "dumpcap")))
```

Then I added the service, referring to the wireshark/privileged/dumpcap.

# Future

After this feature is introduced into the Guix code, other packages could be changed to it.
I've checked the code and there seem to be a few packages that already patch the source to refer
to /run/privileged.
- singularity, spice-gtk: refer to their own binary.
- spacefm, udevil, zabbix-agentd, xsecurelock: refer to a binary of different package.

The second category is going to have to be thought through further, I am not sure
what the best approach is going to be. If to make shell scripts in the packages
or consider adding new packages that would have such shell scripts in their bin folder.

# Considerations

- Maybe the wrapped script should be a guile script instead of a shell one?
- Wrapped executables cannot work with this as was discussed in intro.
- I really had trouble coming up with the wrap-privileged function interface, maybe the parameters could be made more intuitive.
- Should this be added to the manual
- During testing I found out that wireshark binary doesn't pass GUIX_SKIP_PRIVILEGED env var through
  to dumpcap wrapper :(

Feedback welcome,
Cheers!
Rutherther

Rutherther (4):
  gnu: %privileged-program-directory: Export variable.
  guix: Add (guix build privileged) module.
  gnu: wireshark: Wrap dumpcap with wrap-privileged.
  services: Add wireshark-service-type.

 gnu/build/activation.scm    |  4 +++-
 gnu/packages/networking.scm | 17 +++++++++++--
 gnu/services/networking.scm | 35 ++++++++++++++++++++++++++-
 guix/build/privileged.scm   | 48 +++++++++++++++++++++++++++++++++++++
 4 files changed, 100 insertions(+), 4 deletions(-)
 create mode 100644 guix/build/privileged.scm


base-commit: d505cb960fd1e670be9a66d9fdbad94bc49e891d
--
2.49.0

Information forwarded to guix-patches@gnu.org:
bug#78179; Package guix-patches. (Thu, 01 May 2025 08:30:02 GMT) (full text, mbox, link).

Message #8 received at 78179@debbugs.gnu.org (full text, mbox, reply):

* gnu/build/activation.scm (%privileged-program-directory): Export.

Change-Id: I4929b35d9d1fc72aaae68e40cc144d1589fab0b2
---
 gnu/build/activation.scm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
index 272a789291..e8a70dc739 100644
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -50,7 +50,9 @@ (define-module (gnu build activation)
             activate-firmware
             activate-ptrace-attach
             activate-current-system
-            mkdir-p/perms))
+            mkdir-p/perms
+
+            %privileged-program-directory))
 
 ;;; Commentary:
 ;;;
-- 
2.49.0

Information forwarded to guix-patches@gnu.org:
bug#78179; Package guix-patches. (Thu, 01 May 2025 08:30:03 GMT) (full text, mbox, link).

Message #11 received at 78179@debbugs.gnu.org (full text, mbox, reply):

Wireshark refers to #$output/bin/dumpcap to start dumpcap. This means it's
problematic to make a service for it that would add dumpcap to privileged
programs.

This procedure introduces a possibility to replace a file in the output with a
script that will try to execute binary in /run/privileged/bin first, and
fallback to the original one from store. This ensures the package works on
both Guix System and foreign distros. The downside is that /run/privileged/bin
will be executed every time, so it would be impossible to test different
versions of the packages. To overcome that, GUIX_SKIP_PRIVILEGED variable is
introduced, and if set, the original dumpcap will be used.

* guix/build/privileged.scm (unwrap): Removes wrapping by wrap-program
* guix/build/privileged.scm (wrap-privileged): Make a shell script for a
program that needs privileges

Change-Id: Ieacd7f2d80c5b6ecba74d9309cb2c5a6d556aa8e
---
 guix/build/privileged.scm | 48 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 guix/build/privileged.scm

diff --git a/guix/build/privileged.scm b/guix/build/privileged.scm
new file mode 100644
index 0000000000..6a456e02c0
--- /dev/null
+++ b/guix/build/privileged.scm
@@ -0,0 +1,48 @@
+(define-module (guix build privileged)
+  #:use-module (gnu build activation)
+  #:use-module (guix build utils)
+  #:use-module (ice-9 format)
+  #:export (wrap-privileged))
+
+;;; Move .xxx-real to xxx, if it exists.
+(define (unwrap binary)
+  (let* ((name (basename binary))
+         (folder (dirname binary))
+         (real (string-append folder "/." name "-real")))
+    (when (file-exists? real)
+      (format #t "Unwrapping ~a~%" binary)
+      (rename-file real binary))))
+
+;;;
+;;; 1. Move {output}/{original} to {output}/{target-folder}/{target-name}.
+;;; 2. Make a script at original-binary that executes /run/privileged/bin/{target-name}
+;;;    if it exists, if not, output/{target-folder}/{target-name} is executed.
+;;;
+(define* (wrap-privileged output
+                          original
+                          target-name
+                          #:key
+                          (unwrap? #t)
+                          (target-folder "privileged")
+                          (privileged-directory %privileged-program-directory))
+  "Make a shell wrapper for binary that should be ran as privileged.
+
+The wrapper script will try executing binary in /run/privileged/bin, if it exists,
+and if not, it will fall back to the original."
+  (let ((original-file (string-append output "/" original))
+        (target-file (string-append output "/" target-folder "/" target-name))
+        (privileged-file (string-append privileged-directory "/" target-name)))
+    (when unwrap?
+      (unwrap original-file))
+    (mkdir-p (dirname target-file))
+    (rename-file original-file target-file)
+    (call-with-output-file original-file
+      (lambda (port)
+        (format port "#!/usr/bin/env bash
+if [[ -z \"$GUIX_SKIP_PRIVILEGED\" && -f \"~a\" ]]; then
+  exec -a \"$0\" \"~a\" \"$@\"
+fi
+
+exec -a \"$0\" \"~a\" \"$@\"
+" privileged-file privileged-file target-file)
+        (chmod port #o555)))))
-- 
2.49.0

Information forwarded to guix-patches@gnu.org:
bug#78179; Package guix-patches. (Thu, 01 May 2025 08:30:04 GMT) (full text, mbox, link).

Message #14 received at 78179@debbugs.gnu.org (full text, mbox, reply):

Adds wireshark service that puts wireshark to the profile and dumpcap to
privileged programs so that any user can use wireshark on the system.

* gnu/services/networking.scm (wireshark-configuration): New variable.
* gnu/services/networking.scm (wireshark-privileged-program): New variable.
* gnu/services/networking.scm (wireshark-service-type): New variable.

Change-Id: Id4b0ce02fecc43592784bf22aaafa83b63c599d4
---
 gnu/services/networking.scm | 35 ++++++++++++++++++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 67653e2cbf..cd418f5f16 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -51,6 +51,7 @@ (define-module (gnu services networking)
   #:use-module (gnu system shadow)
   #:use-module (gnu system pam)
   #:use-module ((gnu system file-systems) #:select (file-system-mapping))
+  #:use-module (gnu system privilege)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages base)
   #:use-module (gnu packages bash)
@@ -290,7 +291,12 @@ (define-module (gnu services networking)
 
             keepalived-configuration
             keepalived-configuration?
-            keepalived-service-type))
+            keepalived-service-type
+
+            wireshark-configuration
+            wireshark-configuration?
+            wireshark-configuration-wireshark
+            wireshark-service-type))
 
 ;;; Commentary:
 ;;;
@@ -2726,4 +2732,31 @@ (define keepalived-service-type
                  "Run @uref{https://www.keepalived.org/, Keepalived}
 routing software.")))
 
+(define-configuration wireshark-configuration
+  (wireshark
+   (file-like wireshark)
+   "wireshark package.")
+  (no-serialization))
+
+(define (wireshark-privileged-programs config)
+  (list
+   (privileged-program
+    (program
+     (file-append (wireshark-configuration-wireshark config) "/privileged/dumpcap"))
+    (capabilities "cap_net_raw,cap_net_admin=eip"))))
+
+(define wireshark-service-type
+  (service-type
+   (name 'wireshark)
+   (extensions
+    (list
+     (service-extension profile-service-type
+                        (compose list wireshark-configuration-wireshark))
+     (service-extension privileged-program-service-type
+                        wireshark-privileged-programs)))
+   (default-value (wireshark-configuration))
+   (description "Run wireshark. https://www.wireshark.org/
+
+All users of the system will be able to run dumpcap without special permissions.")))
+
 ;;; networking.scm ends here
-- 
2.49.0

Information forwarded to guix-patches@gnu.org:
bug#78179; Package guix-patches. (Thu, 01 May 2025 08:30:05 GMT) (full text, mbox, link).

Message #17 received at 78179@debbugs.gnu.org (full text, mbox, reply):

Wraps Wireshark so that dumpcap can be made a privileged program.
The ...wireshark/bin/dumpcap will be a shell script that tries to execute
/run/privileged/bin/dumpcap first and falls back to the original dumpcap that
is stored in ...wireshark/privileged/dumpcap.

* gnu/packages/networking.scm (wireshark)[modules]: Add guix build privileged.
* gnu/packages/networking.scm (wireshark)[imported-modules]: Add guix build privileged.
* gnu/packages/networking.scm (wireshark)[inputs]: Add bash.
* gnu/packages/networking.scm (wireshark)[phases]: Add wrap-dumpcap phase
executing wrap-privileged.

Change-Id: Ia19670d0372af40c01a26c1d15f41ce668ce023d
---
 gnu/packages/networking.scm | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 2a27474826..f957cc02e5 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -87,6 +87,7 @@ (define-module (gnu packages networking)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
   #:use-module (guix download)
+  #:use-module (guix modules)
   #:use-module (guix gexp)
   #:use-module (guix git-download)
   #:use-module (guix build-system cmake)
@@ -1829,6 +1830,11 @@ (define-public wireshark
     (build-system qt-build-system)
     (arguments
      (list
+      #:modules `((guix build privileged)
+                  (guix build qt-build-system)
+                  (guix build utils))
+      #:imported-modules `(,@(source-module-closure '((guix build privileged)))
+                           ,@%qt-build-system-modules)
       ;; This causes the plugins to register runpaths for the wireshark
       ;; libraries, which would otherwise cause the validate-runpath phase to
       ;; fail.
@@ -1844,9 +1850,16 @@ (define-public wireshark
                 (invoke "ctest" "-VV"
                         "-j" (if parallel-tests?
                                  (number->string (parallel-job-count))
-                                 "1"))))))))
+                                 "1")))))
+          (add-after 'qt-wrap 'wrap-dumpcap
+            (lambda _
+              (wrap-privileged
+               #$output
+               "bin/dumpcap"
+               "dumpcap"))))))
     (inputs
-     (list c-ares
+     (list bash
+           c-ares
            glib
            gnutls
            brotli
-- 
2.49.0

Reply sent to Rutherther <rutherther@ditigal.xyz>:
You have taken responsibility. (Sat, 23 Aug 2025 14:28:02 GMT) (full text, mbox, link).

Notification sent to Rutherther <rutherther@ditigal.xyz>:
bug acknowledged by developer. (Sat, 23 Aug 2025 14:28:02 GMT) (full text, mbox, link).

Message #22 received at 78179-done@debbugs.gnu.org (full text, mbox, reply):

Moved to https://codeberg.org/guix/guix/pulls/2223 as there is no
activity here.

Display info messages

Send a report that this bug log contains spam.

debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Tue Sep 9 08:09:45 2025; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.