GNU logs - #78179, boring messages

Message sent to GNUtoo@HIDDEN, maxim.cournoyer@HIDDEN, guix-patches@HIDDEN:

Subject: [bug#78179] [PATCH 0/4] Add wireshark-service-type with privileged wrapper
Resent-From: Rutherther <rutherther@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: GNUtoo@HIDDEN, maxim.cournoyer@HIDDEN, guix-patches@HIDDEN
Resent-Date: Thu, 01 May 2025 08:28:01 +0000
Resent-Message-ID: <handler.78179.B.174608804422320 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 78179 <at> debbugs.gnu.org
Cc: Rutherther <rutherther@HIDDEN>, Denis 'GNUtoo' Carikli <GNUtoo@HIDDEN>, Maxim Cournoyer <maxim.cournoyer@HIDDEN>
From: Rutherther <rutherther@HIDDEN>
Date: Thu,  1 May 2025 10:26:59 +0200
Message-ID: <cover.1746086472.git.rutherther@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2a01:4f8:1c1b:6a1c::;
 envelope-from=rutherther@HIDDEN; helo=mail.ditigal.xyz
X-Spam_score_int: 4
X-Spam_score: 0.4
X-Spam_bar: /
X-Spam_report: (0.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_SUSPICIOUS_NTLD=0.498,
 FROM_SUSPICIOUS_NTLD_FP=1.997, PDS_OTHER_BAD_TLD=0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 3.4 (+++)
X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  Hi, recently I discucced on devel mailing list on the topic
 of a wireshark service type. I would like to thank Denis 'GNUtoo' Carikli
 who helped me a lot in coming to this idea. # Motivation 
 Content analysis details:   (3.4 points, 10.0 required)
 pts rule name              description
 ---- ---------------------- --------------------------------------------------
 0.9 SPF_FAIL               SPF: sender does not match SPF record (fail)
 [SPF failed: Please see http://www.openspf.org/Why?s=mfrom;
 id=rutherther%40ditigal.xyz; ip=2001%3A470%3A142%3A%3A17; r=debbugs.gnu.org]
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 0.0 PDS_OTHER_BAD_TLD      Untrustworthy TLDs
 [URI: ditigal.xyz (xyz)]
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [2001:470:142:0:0:0:0:17 listed in] [list.dnswl.org]
 0.5 FROM_SUSPICIOUS_NTLD   From abused NTLD
 2.0 FROM_SUSPICIOUS_NTLD_FP From abused NTLD
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: 0.4 (/)

Hi,

recently I discucced on devel mailing list on the topic of a wireshark service type.
I would like to thank Denis 'GNUtoo' Carikli who helped me a lot in coming to this idea.

# Motivation

The issue with wireshark is that it refers to dumpcap from the bin folder of the output.
That is good usually, but not so with Wireshark as dumpcap needs to run with capabilities,
and the store cannot have binaries with capabilities.
In addition to that, dumpcap was wrapped with gtk wrapping phase, unnecessarily,
this complicates the matter a bit, since interpreted executables cannot get setuid or capabilities.
I think that is still something to look at in the future - wrap-program doesn't work for setuid/capabilities,
maybe it would be good to introduce wrap-program-binary that would make a binary instead for the wrapping,
but it's not topic of this patch series.

# Solution

The solution works like this:
1. #$output/bin/dumpcap is unwrapped (mv #$output/bin/.dumpcap-real #$output/bin/dumpcap)
2. #$output/bin/dumpcap is replaced with a shell script that looks if /run/privileged/bindumpcap exists,
   if it does, it is executed. If it doesn't, the original dumpcap binary is executed. Additionally GUIX_SKIP_PRIVILEGED=1
   will skip the check and start the original binary
3. The original binary is put to #$output/privileged/dumpcap (we can change the folder, but name of the binary is important here for privileged-program - it cannot change name)
4. The service will make privileged program referring to #$output/privileged/dumpcap

# Implementation

I've decided to introduce a new module, (guix build privileged), this module exposes just one function: wrap-privileged.
This function accepts:
- output - output folder of the package (/gnu/store/...-dumpcap-ver)
- original - path to the original binary under the output (bin/dumpcap)
- target-name - name that will end up in #$output/privileged
- #:unwrap - whether to try unwrapping the binary. This has to be #t currently to work properly (#t)
  only binary wrappers would allow for it to be #f.
- #:target-folder - what folder under output to put the target to (privileged)
- #:privileged-directory - where are privileged programs. I've exposed %privileged-program-directory
  from (gnu build activation) (/run/privileged/bin)

This function is then used in a new phase of wireshark wrap-privileged, that is happening
after qt-wrap (so that the binary can be unwrapped).
Additionally I added bash to inputs of wireshark, so that the shebang is patched
(I've decided to let this be handled by the patch-shebang phase rather than passing path to
bash to the wrap-privileged function which would add complexity, unnecessarily imho)

```
(add-after 'qt-wrap 'wrap-dumpcap
  (lambda _
    (wrap-privileged
      #$output
      "bin/dumpcap"
      "dumpcap")))
```

Then I added the service, referring to the wireshark/privileged/dumpcap.

# Future

After this feature is introduced into the Guix code, other packages could be changed to it.
I've checked the code and there seem to be a few packages that already patch the source to refer
to /run/privileged.
- singularity, spice-gtk: refer to their own binary.
- spacefm, udevil, zabbix-agentd, xsecurelock: refer to a binary of different package.

The second category is going to have to be thought through further, I am not sure
what the best approach is going to be. If to make shell scripts in the packages
or consider adding new packages that would have such shell scripts in their bin folder.

# Considerations

- Maybe the wrapped script should be a guile script instead of a shell one?
- Wrapped executables cannot work with this as was discussed in intro.
- I really had trouble coming up with the wrap-privileged function interface, maybe the parameters could be made more intuitive.
- Should this be added to the manual
- During testing I found out that wireshark binary doesn't pass GUIX_SKIP_PRIVILEGED env var through
  to dumpcap wrapper :(

Feedback welcome,
Cheers!
Rutherther

Rutherther (4):
  gnu: %privileged-program-directory: Export variable.
  guix: Add (guix build privileged) module.
  gnu: wireshark: Wrap dumpcap with wrap-privileged.
  services: Add wireshark-service-type.

 gnu/build/activation.scm    |  4 +++-
 gnu/packages/networking.scm | 17 +++++++++++--
 gnu/services/networking.scm | 35 ++++++++++++++++++++++++++-
 guix/build/privileged.scm   | 48 +++++++++++++++++++++++++++++++++++++
 4 files changed, 100 insertions(+), 4 deletions(-)
 create mode 100644 guix/build/privileged.scm

base-commit: d505cb960fd1e670be9a66d9fdbad94bc49e891d
--
2.49.0

Message sent:

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: Rutherther <rutherther@HIDDEN>
Subject: bug#78179: Acknowledgement ([PATCH 0/4] Add wireshark-service-type
 with privileged wrapper)
Message-ID: <handler.78179.B.174608804422320.ack <at> debbugs.gnu.org>
References: <cover.1746086472.git.rutherther@HIDDEN>
X-Gnu-PR-Message: ack 78179
X-Gnu-PR-Package: guix-patches
X-Gnu-PR-Keywords: patch
Reply-To: 78179 <at> debbugs.gnu.org
Date: Thu, 01 May 2025 08:28:02 +0000

Thank you for filing a new bug report with debbugs.gnu.org.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

As you requested using X-Debbugs-CC, your message was also forwarded to
  Denis 'GNUtoo' Carikli <GNUtoo@HIDDEN>, Maxim Cournoyer <maxi=
m.cournoyer@HIDDEN>
(after having been given a bug report number, if it did not have one).

Your message has been sent to the package maintainer(s):
 guix-patches@HIDDEN

If you wish to submit further information on this problem, please
send it to 78179 <at> debbugs.gnu.org.

Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.

--=20
78179: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D78179
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems

Message sent to guix-patches@HIDDEN:

Subject: [bug#78179] [PATCH 1/4] gnu: %privileged-program-directory: Export variable.
Resent-From: Rutherther <rutherther@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Thu, 01 May 2025 08:30:02 +0000
Resent-Message-ID: <handler.78179.B78179.174608819722725 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 78179 <at> debbugs.gnu.org
Cc: Rutherther <rutherther@HIDDEN>
From: Rutherther <rutherther@HIDDEN>
Date: Thu,  1 May 2025 10:29:34 +0200
Message-ID: <dcce292be2d024491f3bb754464a879fedfcaec0.1746086472.git.rutherther@HIDDEN>
In-Reply-To: <cover.1746086472.git.rutherther@HIDDEN>
References: <cover.1746086472.git.rutherther@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

* gnu/build/activation.scm (%privileged-program-directory): Export.

Change-Id: I4929b35d9d1fc72aaae68e40cc144d1589fab0b2
---
 gnu/build/activation.scm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/gnu/build/activation.scm b/gnu/build/activation.scm
index 272a789291..e8a70dc739 100644
--- a/gnu/build/activation.scm
+++ b/gnu/build/activation.scm
@@ -50,7 +50,9 @@ (define-module (gnu build activation)
             activate-firmware
             activate-ptrace-attach
             activate-current-system
-            mkdir-p/perms))
+            mkdir-p/perms
+
+            %privileged-program-directory))

 ;;; Commentary:
 ;;;
-- 
2.49.0

Message sent to guix-patches@HIDDEN:

Subject: [bug#78179] [PATCH 2/4] guix: Add (guix build privileged) module.
Resent-From: Rutherther <rutherther@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Thu, 01 May 2025 08:30:03 +0000
Resent-Message-ID: <handler.78179.B78179.174608820022740 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 78179 <at> debbugs.gnu.org
Cc: Rutherther <rutherther@HIDDEN>
From: Rutherther <rutherther@HIDDEN>
Date: Thu,  1 May 2025 10:29:35 +0200
Message-ID: <3ae3ac7b699eaacde6091d05ece786a536872066.1746086472.git.rutherther@HIDDEN>
In-Reply-To: <cover.1746086472.git.rutherther@HIDDEN>
References: <cover.1746086472.git.rutherther@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

Wireshark refers to #$output/bin/dumpcap to start dumpcap. This means it's
problematic to make a service for it that would add dumpcap to privileged
programs.

This procedure introduces a possibility to replace a file in the output with a
script that will try to execute binary in /run/privileged/bin first, and
fallback to the original one from store. This ensures the package works on
both Guix System and foreign distros. The downside is that /run/privileged/bin
will be executed every time, so it would be impossible to test different
versions of the packages. To overcome that, GUIX_SKIP_PRIVILEGED variable is
introduced, and if set, the original dumpcap will be used.

* guix/build/privileged.scm (unwrap): Removes wrapping by wrap-program
* guix/build/privileged.scm (wrap-privileged): Make a shell script for a
program that needs privileges

Change-Id: Ieacd7f2d80c5b6ecba74d9309cb2c5a6d556aa8e
---
 guix/build/privileged.scm | 48 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)
 create mode 100644 guix/build/privileged.scm

diff --git a/guix/build/privileged.scm b/guix/build/privileged.scm
new file mode 100644
index 0000000000..6a456e02c0
--- /dev/null
+++ b/guix/build/privileged.scm
@@ -0,0 +1,48 @@
+(define-module (guix build privileged)
+  #:use-module (gnu build activation)
+  #:use-module (guix build utils)
+  #:use-module (ice-9 format)
+  #:export (wrap-privileged))
+
+;;; Move .xxx-real to xxx, if it exists.
+(define (unwrap binary)
+  (let* ((name (basename binary))
+         (folder (dirname binary))
+         (real (string-append folder "/." name "-real")))
+    (when (file-exists? real)
+      (format #t "Unwrapping ~a~%" binary)
+      (rename-file real binary))))
+
+;;;
+;;; 1. Move {output}/{original} to {output}/{target-folder}/{target-name}.
+;;; 2. Make a script at original-binary that executes /run/privileged/bin/{target-name}
+;;;    if it exists, if not, output/{target-folder}/{target-name} is executed.
+;;;
+(define* (wrap-privileged output
+                          original
+                          target-name
+                          #:key
+                          (unwrap? #t)
+                          (target-folder "privileged")
+                          (privileged-directory %privileged-program-directory))
+  "Make a shell wrapper for binary that should be ran as privileged.
+
+The wrapper script will try executing binary in /run/privileged/bin, if it exists,
+and if not, it will fall back to the original."
+  (let ((original-file (string-append output "/" original))
+        (target-file (string-append output "/" target-folder "/" target-name))
+        (privileged-file (string-append privileged-directory "/" target-name)))
+    (when unwrap?
+      (unwrap original-file))
+    (mkdir-p (dirname target-file))
+    (rename-file original-file target-file)
+    (call-with-output-file original-file
+      (lambda (port)
+        (format port "#!/usr/bin/env bash
+if [[ -z \"$GUIX_SKIP_PRIVILEGED\" && -f \"~a\" ]]; then
+  exec -a \"$0\" \"~a\" \"$@\"
+fi
+
+exec -a \"$0\" \"~a\" \"$@\"
+" privileged-file privileged-file target-file)
+        (chmod port #o555)))))
-- 
2.49.0

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#78179] [PATCH 4/4] services: Add wireshark-service-type.
Resent-From: Rutherther <rutherther@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Thu, 01 May 2025 08:30:04 +0000
Resent-Message-ID: <handler.78179.B78179.174608820022748 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 78179
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 78179 <at> debbugs.gnu.org
Cc: Rutherther <rutherther@HIDDEN>
Received: via spool by 78179-submit <at> debbugs.gnu.org id=B78179.174608820022748
          (code B ref 78179); Thu, 01 May 2025 08:30:04 +0000
Received: (at 78179) by debbugs.gnu.org; 1 May 2025 08:30:00 +0000
Received: from localhost ([127.0.0.1]:48393 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uAPIu-0005uj-5M
	for submit <at> debbugs.gnu.org; Thu, 01 May 2025 04:30:00 -0400
Received: from ditigal.xyz ([2a01:4f8:1c1b:6a1c::]:59382 helo=mail.ditigal.xyz)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <rutherther@HIDDEN>)
 id 1uAPIq-0005tq-CL
 for 78179 <at> debbugs.gnu.org; Thu, 01 May 2025 04:29:57 -0400
Received: by cerebrum (OpenSMTPD) with ESMTPSA id d571cb5d
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Thu, 1 May 2025 08:29:54 +0000 (UTC)
From: Rutherther <rutherther@HIDDEN>
Date: Thu,  1 May 2025 10:29:37 +0200
Message-ID: <fb2a6a6760ccd4a99493d5f027aa67caefea943e.1746086472.git.rutherther@HIDDEN>
X-Mailer: git-send-email 2.49.0
In-Reply-To: <cover.1746086472.git.rutherther@HIDDEN>
References: <cover.1746086472.git.rutherther@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ditigal.xyz;
 i=@ditigal.xyz; q=dns/txt; s=20240917; t=1746088194; h=from : to : cc
 : subject : date : message-id : in-reply-to : references :
 mime-version : content-transfer-encoding : from;
 bh=OQ+1oVJH9DYNtDsZlfVLQrkHCCfRCONFPmRyczTdx8w=;
 b=h68UHR/MTagT725lVxE7dvIezFUfhrU0c3gRVrEMs9dFEIGaQIZtMnn++t+7oZwj+yFgl
 j9kMA5rtxrjscT1dLLoSUvUqubnQ37LMJb7VzzN/++1YQgHTXEhHP+IaoiZtv53m8KbT/vq
 W4doxqz1I94vnA2ReJsF5bR6sfznQNs=
X-Spam-Score: 0.5 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.5 (/)

Adds wireshark service that puts wireshark to the profile and dumpcap to
privileged programs so that any user can use wireshark on the system.

* gnu/services/networking.scm (wireshark-configuration): New variable.
* gnu/services/networking.scm (wireshark-privileged-program): New variable.
* gnu/services/networking.scm (wireshark-service-type): New variable.

Change-Id: Id4b0ce02fecc43592784bf22aaafa83b63c599d4
---
 gnu/services/networking.scm | 35 ++++++++++++++++++++++++++++++++++-
 1 file changed, 34 insertions(+), 1 deletion(-)

diff --git a/gnu/services/networking.scm b/gnu/services/networking.scm
index 67653e2cbf..cd418f5f16 100644
--- a/gnu/services/networking.scm
+++ b/gnu/services/networking.scm
@@ -51,6 +51,7 @@ (define-module (gnu services networking)
   #:use-module (gnu system shadow)
   #:use-module (gnu system pam)
   #:use-module ((gnu system file-systems) #:select (file-system-mapping))
+  #:use-module (gnu system privilege)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages base)
   #:use-module (gnu packages bash)
@@ -290,7 +291,12 @@ (define-module (gnu services networking)
 
             keepalived-configuration
             keepalived-configuration?
-            keepalived-service-type))
+            keepalived-service-type
+
+            wireshark-configuration
+            wireshark-configuration?
+            wireshark-configuration-wireshark
+            wireshark-service-type))
 
 ;;; Commentary:
 ;;;
@@ -2726,4 +2732,31 @@ (define keepalived-service-type
                  "Run @uref{https://www.keepalived.org/, Keepalived}
 routing software.")))
 
+(define-configuration wireshark-configuration
+  (wireshark
+   (file-like wireshark)
+   "wireshark package.")
+  (no-serialization))
+
+(define (wireshark-privileged-programs config)
+  (list
+   (privileged-program
+    (program
+     (file-append (wireshark-configuration-wireshark config) "/privileged/dumpcap"))
+    (capabilities "cap_net_raw,cap_net_admin=eip"))))
+
+(define wireshark-service-type
+  (service-type
+   (name 'wireshark)
+   (extensions
+    (list
+     (service-extension profile-service-type
+                        (compose list wireshark-configuration-wireshark))
+     (service-extension privileged-program-service-type
+                        wireshark-privileged-programs)))
+   (default-value (wireshark-configuration))
+   (description "Run wireshark. https://www.wireshark.org/
+
+All users of the system will be able to run dumpcap without special permissions.")))
+
 ;;; networking.scm ends here
-- 
2.49.0

Message sent to guix-patches@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: [bug#78179] [PATCH 3/4] gnu: wireshark: Wrap dumpcap with wrap-privileged.
Resent-From: Rutherther <rutherther@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: guix-patches@HIDDEN
Resent-Date: Thu, 01 May 2025 08:30:05 +0000
Resent-Message-ID: <handler.78179.B78179.174608820122773 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 78179
X-GNU-PR-Package: guix-patches
X-GNU-PR-Keywords: patch
To: 78179 <at> debbugs.gnu.org
Cc: Rutherther <rutherther@HIDDEN>
Received: via spool by 78179-submit <at> debbugs.gnu.org id=B78179.174608820122773
          (code B ref 78179); Thu, 01 May 2025 08:30:05 +0000
Received: (at 78179) by debbugs.gnu.org; 1 May 2025 08:30:01 +0000
Received: from localhost ([127.0.0.1]:48395 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uAPIu-0005us-NL
	for submit <at> debbugs.gnu.org; Thu, 01 May 2025 04:30:01 -0400
Received: from ditigal.xyz ([78.46.201.50]:53198 helo=mail.ditigal.xyz)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <rutherther@HIDDEN>)
 id 1uAPIp-0005tw-S5
 for 78179 <at> debbugs.gnu.org; Thu, 01 May 2025 04:29:57 -0400
Received: by cerebrum (OpenSMTPD) with ESMTPSA id 4d1bf36f
 (TLSv1.3:TLS_CHACHA20_POLY1305_SHA256:256:NO); 
 Thu, 1 May 2025 08:29:52 +0000 (UTC)
From: Rutherther <rutherther@HIDDEN>
Date: Thu,  1 May 2025 10:29:36 +0200
Message-ID: <9df66aad0fb0acd1419c1a805896ad1d8ba174b0.1746086472.git.rutherther@HIDDEN>
X-Mailer: git-send-email 2.49.0
In-Reply-To: <cover.1746086472.git.rutherther@HIDDEN>
References: <cover.1746086472.git.rutherther@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ditigal.xyz;
 i=@ditigal.xyz; q=dns/txt; s=20240917; t=1746088192; h=from : to : cc
 : subject : date : message-id : in-reply-to : references :
 mime-version : content-transfer-encoding : from;
 bh=UVd0wUvTqBuRE2zB5wHwNY8uXeWJ01Ny4MsQy791Za8=;
 b=DS9StrURv9Q1crkOoecp5UdIOzBmthbomNKaHdEVdy26ehFM2+IUVZMJnM2jqFYwZZAdn
 vMiCrBsj2TP804T9NqLbVLzdhU4VBvoxoNJjhu1tzuZDFl9SDuBnGUYTpzclHoG4jdtZNGh
 zxEcs21izIm8QmhVQlAPmxoFzbdIo9Q=
X-Spam-Score: 0.5 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.5 (/)

Wraps Wireshark so that dumpcap can be made a privileged program.
The ...wireshark/bin/dumpcap will be a shell script that tries to execute
/run/privileged/bin/dumpcap first and falls back to the original dumpcap that
is stored in ...wireshark/privileged/dumpcap.

* gnu/packages/networking.scm (wireshark)[modules]: Add guix build privileged.
* gnu/packages/networking.scm (wireshark)[imported-modules]: Add guix build privileged.
* gnu/packages/networking.scm (wireshark)[inputs]: Add bash.
* gnu/packages/networking.scm (wireshark)[phases]: Add wrap-dumpcap phase
executing wrap-privileged.

Change-Id: Ia19670d0372af40c01a26c1d15f41ce668ce023d
---
 gnu/packages/networking.scm | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/gnu/packages/networking.scm b/gnu/packages/networking.scm
index 2a27474826..f957cc02e5 100644
--- a/gnu/packages/networking.scm
+++ b/gnu/packages/networking.scm
@@ -87,6 +87,7 @@ (define-module (gnu packages networking)
   #:use-module ((guix licenses) #:prefix license:)
   #:use-module (guix packages)
   #:use-module (guix download)
+  #:use-module (guix modules)
   #:use-module (guix gexp)
   #:use-module (guix git-download)
   #:use-module (guix build-system cmake)
@@ -1829,6 +1830,11 @@ (define-public wireshark
     (build-system qt-build-system)
     (arguments
      (list
+      #:modules `((guix build privileged)
+                  (guix build qt-build-system)
+                  (guix build utils))
+      #:imported-modules `(,@(source-module-closure '((guix build privileged)))
+                           ,@%qt-build-system-modules)
       ;; This causes the plugins to register runpaths for the wireshark
       ;; libraries, which would otherwise cause the validate-runpath phase to
       ;; fail.
@@ -1844,9 +1850,16 @@ (define-public wireshark
                 (invoke "ctest" "-VV"
                         "-j" (if parallel-tests?
                                  (number->string (parallel-job-count))
-                                 "1"))))))))
+                                 "1")))))
+          (add-after 'qt-wrap 'wrap-dumpcap
+            (lambda _
+              (wrap-privileged
+               #$output
+               "bin/dumpcap"
+               "dumpcap"))))))
     (inputs
-     (list c-ares
+     (list bash
+           c-ares
            glib
            gnutls
            brotli
-- 
2.49.0

Last modified: Thu, 1 May 2025 08:30:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.