Anyone working on packaging Firejail?

Anyone working on packaging Firejail?

[swedebugia]

https://firejail.wordpress.com/

Firejail is a SUID program that reduces the risk of security breaches by 
restricting the running environment of untrusted applications using 
Linux namespaces and seccomp-bpf. It allows a process and all its 
descendants to have their own private view of the globally shared kernel 
resources, such as the network stack, process table, mount table.

Written in C with virtually no dependencies, the software runs on any 
Linux computer with a 3.x kernel version or newer. The sandbox is 
lightweight, the overhead is low. There are no complicated configuration 
files to edit, no socket connections open, no daemons running in the 
background. All security features are implemented directly in Linux 
kernel and available on any Linux computer. The program is released 
under GPL v2 license.

Firejail can sandbox any type of processes: servers, graphical 
applications, and even user login sessions. The software includes 
security profiles for a large number of Linux programs: Mozilla Firefox, 
Chromium, VLC, Transmission etc. To start the sandbox, prefix your 
command with “firejail”:

     $ firejail firefox                       # starting Mozilla Firefox
     $ firejail transmission-gtk              # starting Transmission 
BitTorrent
     $ firejail vlc                           # starting VideoLAN Client
     $ sudo firejail /etc/init.d/nginx start  # starting nginx web server


-- 
Cheers Swedebugia

Re: Anyone working on packaging Firejail?

[Pierre Neidhardt]

[-- Attachment #1: Type: text/plain, Size: 122 bytes --]

Can anyone weigh the pros and cons between Firejail and Guix containers?

-- 
Pierre Neidhardt
https://ambrevar.xyz/

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]

Re: Anyone working on packaging Firejail?

[swedebugia]

On 2018-12-20 08:53, Pierre Neidhardt wrote:
> Can anyone weigh the pros and cons between Firejail and Guix containers?
> 

Yeah, good idea.

Is guix container using kernel namespaces?

Our manual[1] did not say. If yes then I think we should advertise this 
on the front page!

A run your browser in a container example script would also be nice.

I think we already have all the features beside the gui of firetools. :D

-- 
Cheers Swedebugia

1 
https://www.gnu.org/software/guix/manual/en/html_node/Invoking-guix-container.html#Invoking-guix-container

Re: Anyone working on packaging Firejail?

[swedebugia]

On 2018-12-20 13:17, swedebugia wrote:
> On 2018-12-20 08:53, Pierre Neidhardt wrote:
>> Can anyone weigh the pros and cons between Firejail and Guix containers?
>>
> 
> Yeah, good idea.
> 
> Is guix container using kernel namespaces?
> 
> Our manual[1] did not say. If yes then I think we should advertise this 
> on the front page!
> 
> A run your browser in a container example script would also be nice.
> 
> I think we already have all the features beside the gui of firetools. :D
> 

Found this!

Run icecat, a browser, in a container with

     guix environment --container --network --share=/tmp/.X11-unix
--ad-hoc icecat
     export DISPLAY=":0.0"
     icecat

https://github.com/pjotrp/guix-notes/blob/master/CONTAINERS.org#browser


-- 
Cheers Swedebugia

Re: Anyone working on packaging Firejail?

[Joshua Branson]

swedebugia <swedebugia@riseup.net> writes:

> On 2018-12-20 13:17, swedebugia wrote:
>> On 2018-12-20 08:53, Pierre Neidhardt wrote:
>>> Can anyone weigh the pros and cons between Firejail and Guix containers?
>>>
>>
>> Yeah, good idea.
>>
>> Is guix container using kernel namespaces?
>>
>> Our manual[1] did not say. If yes then I think we should advertise
>> this on the front page!
>>
>> A run your browser in a container example script would also be nice.
>>
>> I think we already have all the features beside the gui of firetools. :D
>>
>
> Found this!
>
> Run icecat, a browser, in a container with
>
>     guix environment --container --network --share=/tmp/.X11-unix
> --ad-hoc icecat
>     export DISPLAY=":0.0"
>     icecat

Is there a way to do this automatically?  ie:  you don't have to type
guix environment --container .... icecat?  You just type "icecat?"

Thanks

>
> https://github.com/pjotrp/guix-notes/blob/master/CONTAINERS.org#browser

--
Joshua Branson
Sent from Emacs and Gnus

Re: Anyone working on packaging Firejail?

[Eric Bavier]

[-- Attachment #1: Type: text/plain, Size: 1425 bytes --]

On Thu, 20 Dec 2018 11:19:07 -0500
Joshua Branson <jbranso@dismail.de> wrote:

> swedebugia <swedebugia@riseup.net> writes:
> 
> > On 2018-12-20 13:17, swedebugia wrote:  
> >> On 2018-12-20 08:53, Pierre Neidhardt wrote:  
> >>> Can anyone weigh the pros and cons between Firejail and Guix containers?
> >>>  
> >>
> >> Yeah, good idea.
> >>
> >> Is guix container using kernel namespaces?
> >>
> >> Our manual[1] did not say. If yes then I think we should advertise
> >> this on the front page!
> >>
> >> A run your browser in a container example script would also be nice.
> >>
> >> I think we already have all the features beside the gui of firetools. :D
> >>  
> >
> > Found this!
> >
> > Run icecat, a browser, in a container with
> >
> >     guix environment --container --network --share=/tmp/.X11-unix
> > --ad-hoc icecat
> >     export DISPLAY=":0.0"
> >     icecat  
> 
> Is there a way to do this automatically?  ie:  you don't have to type
> guix environment --container .... icecat?  You just type "icecat?"

That is the major advantage Firejail has over 'guix environment
--container' currently.  It contains a large collection of "profiles"
for different applications, specifying how exactly to jail them so that
they can still function.

I believe we'd be able to achieve something similar with some sort of
"environment configuration" manifest-type thing.

`~Eric

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Anyone working on packaging Firejail?

[Ludovic Courtès]

Hi Eric,

Eric Bavier <ericbavier@centurylink.net> skribis:

> On Thu, 20 Dec 2018 11:19:07 -0500

[...]

>> > Run icecat, a browser, in a container with
>> >
>> >     guix environment --container --network --share=/tmp/.X11-unix
>> > --ad-hoc icecat
>> >     export DISPLAY=":0.0"
>> >     icecat  
>> 
>> Is there a way to do this automatically?  ie:  you don't have to type
>> guix environment --container .... icecat?  You just type "icecat?"
>
> That is the major advantage Firejail has over 'guix environment
> --container' currently.  It contains a large collection of "profiles"
> for different applications, specifying how exactly to jail them so that
> they can still function.

We also discussed “guix run icecat” as a simpler option:

  https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html

‘guix run’ can guess parts of the profile, like whether the application
needs X11 or Fontconfig stuff, just by looking at the references of the
application.  That said, I’m curious to see what the Firejail profiles
look like and to what extent we’d need to manually annotate packages if
we were to provide similar functionality.

Firejail looks nice!

Ludo’.

Re: Anyone working on packaging Firejail?

[Ludovic Courtès]

Hi Eric,

Eric Bavier <ericbavier@centurylink.net> skribis:

> On Thu, 20 Dec 2018 11:19:07 -0500

[...]

>> > Run icecat, a browser, in a container with
>> >
>> >     guix environment --container --network --share=/tmp/.X11-unix
>> > --ad-hoc icecat
>> >     export DISPLAY=":0.0"
>> >     icecat  
>> 
>> Is there a way to do this automatically?  ie:  you don't have to type
>> guix environment --container .... icecat?  You just type "icecat?"
>
> That is the major advantage Firejail has over 'guix environment
> --container' currently.  It contains a large collection of "profiles"
> for different applications, specifying how exactly to jail them so that
> they can still function.

We also discussed “guix run icecat” as a simpler option:

  https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html

‘guix run’ can guess parts of the profile, like whether the application
needs X11 or Fontconfig stuff, just by looking at the references of the
application.  That said, I’m curious to see what the Firejail profiles
look like and to what extent we’d need to manually annotate packages if
we were to provide similar functionality.

Firejail looks nice!

Ludo’.

Re: Anyone working on packaging Firejail?

[Ludovic Courtès]

Hi Eric,

Eric Bavier <ericbavier@centurylink.net> skribis:

> On Thu, 20 Dec 2018 11:19:07 -0500

[...]

>> > Run icecat, a browser, in a container with
>> >
>> >     guix environment --container --network --share=/tmp/.X11-unix
>> > --ad-hoc icecat
>> >     export DISPLAY=":0.0"
>> >     icecat  
>> 
>> Is there a way to do this automatically?  ie:  you don't have to type
>> guix environment --container .... icecat?  You just type "icecat?"
>
> That is the major advantage Firejail has over 'guix environment
> --container' currently.  It contains a large collection of "profiles"
> for different applications, specifying how exactly to jail them so that
> they can still function.

We also discussed “guix run icecat” as a simpler option:

  https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html

‘guix run’ can guess parts of the profile, like whether the application
needs X11 or Fontconfig stuff, just by looking at the references of the
application.  That said, I’m curious to see what the Firejail profiles
look like and to what extent we’d need to manually annotate packages if
we were to provide similar functionality.

Firejail looks nice!

Ludo’.

Re: Anyone working on packaging Firejail?

[Ludovic Courtès]

Hi Eric,

Eric Bavier <ericbavier@centurylink.net> skribis:

> On Thu, 20 Dec 2018 11:19:07 -0500

[...]

>> > Run icecat, a browser, in a container with
>> >
>> >     guix environment --container --network --share=/tmp/.X11-unix
>> > --ad-hoc icecat
>> >     export DISPLAY=":0.0"
>> >     icecat  
>> 
>> Is there a way to do this automatically?  ie:  you don't have to type
>> guix environment --container .... icecat?  You just type "icecat?"
>
> That is the major advantage Firejail has over 'guix environment
> --container' currently.  It contains a large collection of "profiles"
> for different applications, specifying how exactly to jail them so that
> they can still function.

We also discussed “guix run icecat” as a simpler option:

  https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html

‘guix run’ can guess parts of the profile, like whether the application
needs X11 or Fontconfig stuff, just by looking at the references of the
application.  That said, I’m curious to see what the Firejail profiles
look like and to what extent we’d need to manually annotate packages if
we were to provide similar functionality.

Firejail looks nice!

Ludo’.

Re: Anyone working on packaging Firejail?

[Ludovic Courtès]

Hi Eric,

Eric Bavier <ericbavier@centurylink.net> skribis:

> On Thu, 20 Dec 2018 11:19:07 -0500

[...]

>> > Run icecat, a browser, in a container with
>> >
>> >     guix environment --container --network --share=/tmp/.X11-unix
>> > --ad-hoc icecat
>> >     export DISPLAY=":0.0"
>> >     icecat  
>> 
>> Is there a way to do this automatically?  ie:  you don't have to type
>> guix environment --container .... icecat?  You just type "icecat?"
>
> That is the major advantage Firejail has over 'guix environment
> --container' currently.  It contains a large collection of "profiles"
> for different applications, specifying how exactly to jail them so that
> they can still function.

We also discussed “guix run icecat” as a simpler option:

  https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html

‘guix run’ can guess parts of the profile, like whether the application
needs X11 or Fontconfig stuff, just by looking at the references of the
application.  That said, I’m curious to see what the Firejail profiles
look like and to what extent we’d need to manually annotate packages if
we were to provide similar functionality.

Firejail looks nice!

Ludo’.