bug#42996: icecat can escape from `guix environment --container`

unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed

* bug#42996: icecat can escape from `guix environment --container`
@ 2020-08-23 10:18 luhux
  2020-08-23 15:38 ` Julien Lepiller
  2020-08-23 16:45 ` Leo Famulari
  0 siblings, 2 replies; 5+ messages in thread
From: luhux @ 2020-08-23 10:18 UTC (permalink / raw)
  To: 42996

I am using guix environment --container to isolate some programs that are prone to leak information. guix environment --container works well in freerdp and other programs until I use guix environment --container to containerize icecat,

Steps to reproduce:

guix environmnt --container (...some options...) --ad-hoc icecat

Select the address bar and write:'file://' and then access, icecat can still access the content outside the container.

Please forgive me for some inappropriate words. My English is not very good.

luhux

^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#42996: icecat can escape from `guix environment --container`
  2020-08-23 10:18 bug#42996: icecat can escape from `guix environment --container` luhux
@ 2020-08-23 15:38 ` Julien Lepiller
       [not found]   ` <PSXP216MB013647CD5DB04CD7F1A49873A0560@PSXP216MB0136.KORP216.PROD.OUTLOOK.COM>
  2020-08-23 16:45 ` Leo Famulari
  1 sibling, 1 reply; 5+ messages in thread
From: Julien Lepiller @ 2020-08-23 15:38 UTC (permalink / raw)
  To: luhux, 42996

[-- Attachment #1: Type: text/plain, Size: 1111 bytes --]

One possibility is that you're seeing the virtual root filesystem, that thwuld only have a few direccories and the structure up to the directory you created your container in. Are you sure you can access files outside of the directory you started icecat in?

Another possiblity is that you had a running icecat outside of the container. In that case, calling icecat from tge container only opens a new window in the un-containerized icecat. Could it be what's happening?

Le 23 août 2020 06:18:49 GMT-04:00, luhux <luhux@outlook.com> a écrit :
>I am using guix environment --container to isolate some programs that
>are prone to leak information. guix environment --container works well
>in freerdp and other programs until I use guix environment --container
>to containerize icecat,
>
>Steps to reproduce:
>
>guix environmnt --container (...some options...) --ad-hoc icecat
>
>Select the address bar and write:'file://' and then access, icecat can
>still access the content outside the container.
>
>Please forgive me for some inappropriate words. My English is not very
>good.
>
>luhux

[-- Attachment #2: Type: text/html, Size: 1376 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#42996: icecat can escape from `guix environment --container`
  2020-08-23 10:18 bug#42996: icecat can escape from `guix environment --container` luhux
  2020-08-23 15:38 ` Julien Lepiller
@ 2020-08-23 16:45 ` Leo Famulari
  2020-08-23 16:55   ` Leo Famulari
  1 sibling, 1 reply; 5+ messages in thread
From: Leo Famulari @ 2020-08-23 16:45 UTC (permalink / raw)
  To: luhux; +Cc: 42996

[-- Attachment #1: Type: text/plain, Size: 552 bytes --]

On Sun, Aug 23, 2020 at 06:18:49PM +0800, luhux wrote:
> I am using guix environment --container to isolate some programs that
> are prone to leak information. guix environment --container works well
> in freerdp and other programs until I use guix environment --container
> to containerize icecat,

More comprehensive reproduction:

$ guix environment --container --share=/tmp/.X11-unix --ad-hoc icecat
[env]$ export DISPLAY=":0.0"
[env]$ icecat

The browser has no fonts but, with careful typing, I was able to open a
text file in my home directory.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#42996: icecat can escape from `guix environment --container`
  2020-08-23 16:45 ` Leo Famulari
@ 2020-08-23 16:55   ` Leo Famulari
  0 siblings, 0 replies; 5+ messages in thread
From: Leo Famulari @ 2020-08-23 16:55 UTC (permalink / raw)
  To: luhux; +Cc: 42996

[-- Attachment #1: Type: text/plain, Size: 861 bytes --]

I believe that this is expected given the specification of `guix
environment`, which is its chapter in the manual. [0]

It says, "For containers, the default behavior is to share the current
working directory with the isolated container and immediately change to
that directory within the container. If this is undesirable, --no-cwd
will cause the current working directory to not be automatically shared
and will change to the user’s home directory within the container
instead."

For this command, the word "share" means that the shared directories
will be read-write.

Did you use the --no-cwd option? If not, were you able to access any
files outside of the current working directory of the `guix environment
...` command invocation?

[0] https://guix.gnu.org/manual/en/html_node/Invoking-guix-environment.html#Invoking-guix-environment

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* bug#42996: icecat can escape from `guix environment --container`
       [not found]   ` <PSXP216MB013647CD5DB04CD7F1A49873A0560@PSXP216MB0136.KORP216.PROD.OUTLOOK.COM>
@ 2020-08-24 11:17     ` Julien Lepiller
  0 siblings, 0 replies; 5+ messages in thread
From: Julien Lepiller @ 2020-08-24 11:17 UTC (permalink / raw)
  To: luhux, 42996-close

[-- Attachment #1: Type: text/plain, Size: 1029 bytes --]

Then, closing. Thank you :)

Le 23 août 2020 21:15:55 GMT-04:00, luhux <luhux@outlook.com> a écrit :
>On Sun, Aug 23, 2020 at 11:38:47AM -0400, Julien Lepiller wrote:
>> One possibility is that you're seeing the virtual root filesystem,
>that thwuld only have a few direccories and the structure up to the
>directory you created your container in. Are you sure you can access
>files outside of the directory you started icecat in?
>> 
>> Another possiblity is that you had a running icecat outside of the
>container. In that case, calling icecat from tge container only opens a
>new window in the un-containerized icecat. Could it be what's
>happening?
>> 
>
>It is my fault.
>
>The icecat in the container is connected to the icecat outside the
>container, and then a new window is opened using the icecat outside the
>container
>
>Close the icecat outside the container, and then open the icecat inside
>the container, everything is correct.
>
>The problem is solved, thank you very much.
>
>luhux

[-- Attachment #2: Type: text/html, Size: 1397 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2020-08-24 11:18 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-23 10:18 bug#42996: icecat can escape from `guix environment --container` luhux
2020-08-23 15:38 ` Julien Lepiller
     [not found]   ` <PSXP216MB013647CD5DB04CD7F1A49873A0560@PSXP216MB0136.KORP216.PROD.OUTLOOK.COM>
2020-08-24 11:17     ` Julien Lepiller
2020-08-23 16:45 ` Leo Famulari
2020-08-23 16:55   ` Leo Famulari

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).