From: Christopher Baines <mail@cbaines.net>
To: "Ludovic Courtès" <ludo@gnu.org>, dthompson2@worcester.edu
Cc: guix-devel@gnu.org
Subject: Re: Tracking and inspecting how Guix changes over time
Date: Sun, 24 Feb 2019 16:25:34 +0000 [thread overview]
Message-ID: <874l8tgnlt.fsf@cbaines.net> (raw)
In-Reply-To: <87zhr0u0gn.fsf@cbaines.net>
[-- Attachment #1: Type: text/plain, Size: 3082 bytes --]
Christopher Baines <mail@cbaines.net> writes:
> Ludovic Courtès <ludo@gnu.org> writes:
>
>> Hello!
>>
>> Christopher Baines <mail@cbaines.net> skribis:
>>
>>> As far as I can see, guix pull/the channels code directly evaluates some
>>> Guile code from the source repository. It would be great if this could
>>> somehow be isolated to guard against any malicious patches that try to
>>> attack the machine running the Guix Data Service, I haven't thought much
>>> about how yet.
>>>
>>> Similarly, using the inferiors approach to extract out information from
>>> Guix requires running a REPL from the target Guix. This could also pose
>>> security issues. I was wondering if it was possible to run the REPL
>>> within a container, to at least isolate it a bit from the system.
>>
>> Yes, we should definitely run that code in a container. Note that, for
>> ‘guix pull’, I think it’s OK to run that code on the user’s machine
>> as-is in the sense that the user is going to run code coming from the
>> channels they specified anyway.
>>
>> For an automated system like this, it’s a bit different, so using a
>> container makes a lot of sense. I’d suggest having an option directly
>> in (guix inferior) to allow users to choose whether to run an inferior
>> in separate name spaces. WDYT?
>
> That sounds great, I'm not quite sure how to make it happen though...
>
> So inferior-pipe in (guix inferior) uses open-pipe*. The root of the
> Linux container code in Guix looks to be run-container (gnu build
> linux-container).
>
> The run-container function uses the clone syscall with the right flags
> to isolate the new child process. I've looked at the (ice-9 popen)
> module, and the couple of C functions it uses (scm_open_process and
> start_child). Calling open-pipe* eventually calls fork, which I think
> uses the clone syscall as well.
>
> I can't quite work out how to combine the two though. I'm unsure how to
> add the pipe behaviour to run-container, and it seems infeasible to get
> open-pipe* to call fork/clone with the right flags.
>
> Any ideas? I included David as he appears to have been involved in the
> initial container implementation in case he had any wise suggestions.
So, I've now got around to looking at this some more. My initial
approach was to wrap the pipe/dup2 calls made within the C part of
open-pipe*, but while doing this, I discovered that Guile already has
wrappers for these things.
So, I've now got an initial prototype that I've put up here [1], and
I've been able to adjust the guix-data-service to make use of this. I've
moved doing the 'guix pull' bit inside the an inferior as well, so all
of the code fetched from the internet can be isolated through the
inferior.
I'm still not sure exactly how much isolation it provides, and I haven't
really tested it, apart from hitting issues where the isolation was
breaking the code I was trying to make work inside the inferior. Anyway,
it's a start.
1: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34638
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 962 bytes --]
next prev parent reply other threads:[~2019-02-24 16:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-08 13:20 Tracking and inspecting how Guix changes over time Christopher Baines
2019-02-09 15:18 ` Ludovic Courtès
2019-02-12 22:05 ` Christopher Baines
2019-02-13 14:37 ` Ricardo Wurmus
2019-02-14 19:10 ` Christopher Baines
2019-02-24 16:25 ` Christopher Baines [this message]
2019-02-09 23:58 ` Chris Marusich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874l8tgnlt.fsf@cbaines.net \
--to=mail@cbaines.net \
--cc=dthompson2@worcester.edu \
--cc=guix-devel@gnu.org \
--cc=ludo@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).