* Anyone working on packaging Firejail?
@ 2018-12-20 5:50 swedebugia
2018-12-20 7:53 ` Pierre Neidhardt
0 siblings, 1 reply; 11+ messages in thread
From: swedebugia @ 2018-12-20 5:50 UTC (permalink / raw)
To: guix-devel
https://firejail.wordpress.com/
Firejail is a SUID program that reduces the risk of security breaches by
restricting the running environment of untrusted applications using
Linux namespaces and seccomp-bpf. It allows a process and all its
descendants to have their own private view of the globally shared kernel
resources, such as the network stack, process table, mount table.
Written in C with virtually no dependencies, the software runs on any
Linux computer with a 3.x kernel version or newer. The sandbox is
lightweight, the overhead is low. There are no complicated configuration
files to edit, no socket connections open, no daemons running in the
background. All security features are implemented directly in Linux
kernel and available on any Linux computer. The program is released
under GPL v2 license.
Firejail can sandbox any type of processes: servers, graphical
applications, and even user login sessions. The software includes
security profiles for a large number of Linux programs: Mozilla Firefox,
Chromium, VLC, Transmission etc. To start the sandbox, prefix your
command with “firejail”:
$ firejail firefox # starting Mozilla Firefox
$ firejail transmission-gtk # starting Transmission
BitTorrent
$ firejail vlc # starting VideoLAN Client
$ sudo firejail /etc/init.d/nginx start # starting nginx web server
--
Cheers Swedebugia
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Anyone working on packaging Firejail?
2018-12-20 5:50 Anyone working on packaging Firejail? swedebugia
@ 2018-12-20 7:53 ` Pierre Neidhardt
2018-12-20 12:17 ` swedebugia
0 siblings, 1 reply; 11+ messages in thread
From: Pierre Neidhardt @ 2018-12-20 7:53 UTC (permalink / raw)
To: swedebugia; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 122 bytes --]
Can anyone weigh the pros and cons between Firejail and Guix containers?
--
Pierre Neidhardt
https://ambrevar.xyz/
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 487 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Anyone working on packaging Firejail?
2018-12-20 7:53 ` Pierre Neidhardt
@ 2018-12-20 12:17 ` swedebugia
2018-12-20 12:28 ` swedebugia
0 siblings, 1 reply; 11+ messages in thread
From: swedebugia @ 2018-12-20 12:17 UTC (permalink / raw)
To: Pierre Neidhardt; +Cc: guix-devel
On 2018-12-20 08:53, Pierre Neidhardt wrote:
> Can anyone weigh the pros and cons between Firejail and Guix containers?
>
Yeah, good idea.
Is guix container using kernel namespaces?
Our manual[1] did not say. If yes then I think we should advertise this
on the front page!
A run your browser in a container example script would also be nice.
I think we already have all the features beside the gui of firetools. :D
--
Cheers Swedebugia
1
https://www.gnu.org/software/guix/manual/en/html_node/Invoking-guix-container.html#Invoking-guix-container
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Anyone working on packaging Firejail?
2018-12-20 12:17 ` swedebugia
@ 2018-12-20 12:28 ` swedebugia
2018-12-20 16:19 ` Joshua Branson
0 siblings, 1 reply; 11+ messages in thread
From: swedebugia @ 2018-12-20 12:28 UTC (permalink / raw)
To: Pierre Neidhardt; +Cc: guix-devel
On 2018-12-20 13:17, swedebugia wrote:
> On 2018-12-20 08:53, Pierre Neidhardt wrote:
>> Can anyone weigh the pros and cons between Firejail and Guix containers?
>>
>
> Yeah, good idea.
>
> Is guix container using kernel namespaces?
>
> Our manual[1] did not say. If yes then I think we should advertise this
> on the front page!
>
> A run your browser in a container example script would also be nice.
>
> I think we already have all the features beside the gui of firetools. :D
>
Found this!
Run icecat, a browser, in a container with
guix environment --container --network --share=/tmp/.X11-unix
--ad-hoc icecat
export DISPLAY=":0.0"
icecat
https://github.com/pjotrp/guix-notes/blob/master/CONTAINERS.org#browser
--
Cheers Swedebugia
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Anyone working on packaging Firejail?
2018-12-20 12:28 ` swedebugia
@ 2018-12-20 16:19 ` Joshua Branson
2018-12-21 15:39 ` Eric Bavier
0 siblings, 1 reply; 11+ messages in thread
From: Joshua Branson @ 2018-12-20 16:19 UTC (permalink / raw)
To: guix-devel
swedebugia <swedebugia@riseup.net> writes:
> On 2018-12-20 13:17, swedebugia wrote:
>> On 2018-12-20 08:53, Pierre Neidhardt wrote:
>>> Can anyone weigh the pros and cons between Firejail and Guix containers?
>>>
>>
>> Yeah, good idea.
>>
>> Is guix container using kernel namespaces?
>>
>> Our manual[1] did not say. If yes then I think we should advertise
>> this on the front page!
>>
>> A run your browser in a container example script would also be nice.
>>
>> I think we already have all the features beside the gui of firetools. :D
>>
>
> Found this!
>
> Run icecat, a browser, in a container with
>
> guix environment --container --network --share=/tmp/.X11-unix
> --ad-hoc icecat
> export DISPLAY=":0.0"
> icecat
Is there a way to do this automatically? ie: you don't have to type
guix environment --container .... icecat? You just type "icecat?"
Thanks
>
> https://github.com/pjotrp/guix-notes/blob/master/CONTAINERS.org#browser
--
Joshua Branson
Sent from Emacs and Gnus
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Anyone working on packaging Firejail?
2018-12-20 16:19 ` Joshua Branson
@ 2018-12-21 15:39 ` Eric Bavier
2018-12-21 20:55 ` Ludovic Courtès
` (4 more replies)
0 siblings, 5 replies; 11+ messages in thread
From: Eric Bavier @ 2018-12-21 15:39 UTC (permalink / raw)
To: Joshua Branson; +Cc: guix-devel
[-- Attachment #1: Type: text/plain, Size: 1425 bytes --]
On Thu, 20 Dec 2018 11:19:07 -0500
Joshua Branson <jbranso@dismail.de> wrote:
> swedebugia <swedebugia@riseup.net> writes:
>
> > On 2018-12-20 13:17, swedebugia wrote:
> >> On 2018-12-20 08:53, Pierre Neidhardt wrote:
> >>> Can anyone weigh the pros and cons between Firejail and Guix containers?
> >>>
> >>
> >> Yeah, good idea.
> >>
> >> Is guix container using kernel namespaces?
> >>
> >> Our manual[1] did not say. If yes then I think we should advertise
> >> this on the front page!
> >>
> >> A run your browser in a container example script would also be nice.
> >>
> >> I think we already have all the features beside the gui of firetools. :D
> >>
> >
> > Found this!
> >
> > Run icecat, a browser, in a container with
> >
> > guix environment --container --network --share=/tmp/.X11-unix
> > --ad-hoc icecat
> > export DISPLAY=":0.0"
> > icecat
>
> Is there a way to do this automatically? ie: you don't have to type
> guix environment --container .... icecat? You just type "icecat?"
That is the major advantage Firejail has over 'guix environment
--container' currently. It contains a large collection of "profiles"
for different applications, specifying how exactly to jail them so that
they can still function.
I believe we'd be able to achieve something similar with some sort of
"environment configuration" manifest-type thing.
`~Eric
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Anyone working on packaging Firejail?
2018-12-21 15:39 ` Eric Bavier
@ 2018-12-21 20:55 ` Ludovic Courtès
2018-12-21 20:56 ` Ludovic Courtès
` (3 subsequent siblings)
4 siblings, 0 replies; 11+ messages in thread
From: Ludovic Courtès @ 2018-12-21 20:55 UTC (permalink / raw)
To: Eric Bavier; +Cc: guix-devel, Joshua Branson
Hi Eric,
Eric Bavier <ericbavier@centurylink.net> skribis:
> On Thu, 20 Dec 2018 11:19:07 -0500
[...]
>> > Run icecat, a browser, in a container with
>> >
>> > guix environment --container --network --share=/tmp/.X11-unix
>> > --ad-hoc icecat
>> > export DISPLAY=":0.0"
>> > icecat
>>
>> Is there a way to do this automatically? ie: you don't have to type
>> guix environment --container .... icecat? You just type "icecat?"
>
> That is the major advantage Firejail has over 'guix environment
> --container' currently. It contains a large collection of "profiles"
> for different applications, specifying how exactly to jail them so that
> they can still function.
We also discussed “guix run icecat” as a simpler option:
https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html
‘guix run’ can guess parts of the profile, like whether the application
needs X11 or Fontconfig stuff, just by looking at the references of the
application. That said, I’m curious to see what the Firejail profiles
look like and to what extent we’d need to manually annotate packages if
we were to provide similar functionality.
Firejail looks nice!
Ludo’.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Anyone working on packaging Firejail?
2018-12-21 15:39 ` Eric Bavier
2018-12-21 20:55 ` Ludovic Courtès
@ 2018-12-21 20:56 ` Ludovic Courtès
2018-12-21 20:56 ` Ludovic Courtès
` (2 subsequent siblings)
4 siblings, 0 replies; 11+ messages in thread
From: Ludovic Courtès @ 2018-12-21 20:56 UTC (permalink / raw)
To: Eric Bavier; +Cc: guix-devel, Joshua Branson
Hi Eric,
Eric Bavier <ericbavier@centurylink.net> skribis:
> On Thu, 20 Dec 2018 11:19:07 -0500
[...]
>> > Run icecat, a browser, in a container with
>> >
>> > guix environment --container --network --share=/tmp/.X11-unix
>> > --ad-hoc icecat
>> > export DISPLAY=":0.0"
>> > icecat
>>
>> Is there a way to do this automatically? ie: you don't have to type
>> guix environment --container .... icecat? You just type "icecat?"
>
> That is the major advantage Firejail has over 'guix environment
> --container' currently. It contains a large collection of "profiles"
> for different applications, specifying how exactly to jail them so that
> they can still function.
We also discussed “guix run icecat” as a simpler option:
https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html
‘guix run’ can guess parts of the profile, like whether the application
needs X11 or Fontconfig stuff, just by looking at the references of the
application. That said, I’m curious to see what the Firejail profiles
look like and to what extent we’d need to manually annotate packages if
we were to provide similar functionality.
Firejail looks nice!
Ludo’.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Anyone working on packaging Firejail?
2018-12-21 15:39 ` Eric Bavier
2018-12-21 20:55 ` Ludovic Courtès
2018-12-21 20:56 ` Ludovic Courtès
@ 2018-12-21 20:56 ` Ludovic Courtès
2018-12-21 20:56 ` Ludovic Courtès
2018-12-21 20:58 ` Ludovic Courtès
4 siblings, 0 replies; 11+ messages in thread
From: Ludovic Courtès @ 2018-12-21 20:56 UTC (permalink / raw)
To: Eric Bavier; +Cc: guix-devel, Joshua Branson
Hi Eric,
Eric Bavier <ericbavier@centurylink.net> skribis:
> On Thu, 20 Dec 2018 11:19:07 -0500
[...]
>> > Run icecat, a browser, in a container with
>> >
>> > guix environment --container --network --share=/tmp/.X11-unix
>> > --ad-hoc icecat
>> > export DISPLAY=":0.0"
>> > icecat
>>
>> Is there a way to do this automatically? ie: you don't have to type
>> guix environment --container .... icecat? You just type "icecat?"
>
> That is the major advantage Firejail has over 'guix environment
> --container' currently. It contains a large collection of "profiles"
> for different applications, specifying how exactly to jail them so that
> they can still function.
We also discussed “guix run icecat” as a simpler option:
https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html
‘guix run’ can guess parts of the profile, like whether the application
needs X11 or Fontconfig stuff, just by looking at the references of the
application. That said, I’m curious to see what the Firejail profiles
look like and to what extent we’d need to manually annotate packages if
we were to provide similar functionality.
Firejail looks nice!
Ludo’.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Anyone working on packaging Firejail?
2018-12-21 15:39 ` Eric Bavier
` (2 preceding siblings ...)
2018-12-21 20:56 ` Ludovic Courtès
@ 2018-12-21 20:56 ` Ludovic Courtès
2018-12-21 20:58 ` Ludovic Courtès
4 siblings, 0 replies; 11+ messages in thread
From: Ludovic Courtès @ 2018-12-21 20:56 UTC (permalink / raw)
To: Eric Bavier; +Cc: guix-devel, Joshua Branson
Hi Eric,
Eric Bavier <ericbavier@centurylink.net> skribis:
> On Thu, 20 Dec 2018 11:19:07 -0500
[...]
>> > Run icecat, a browser, in a container with
>> >
>> > guix environment --container --network --share=/tmp/.X11-unix
>> > --ad-hoc icecat
>> > export DISPLAY=":0.0"
>> > icecat
>>
>> Is there a way to do this automatically? ie: you don't have to type
>> guix environment --container .... icecat? You just type "icecat?"
>
> That is the major advantage Firejail has over 'guix environment
> --container' currently. It contains a large collection of "profiles"
> for different applications, specifying how exactly to jail them so that
> they can still function.
We also discussed “guix run icecat” as a simpler option:
https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html
‘guix run’ can guess parts of the profile, like whether the application
needs X11 or Fontconfig stuff, just by looking at the references of the
application. That said, I’m curious to see what the Firejail profiles
look like and to what extent we’d need to manually annotate packages if
we were to provide similar functionality.
Firejail looks nice!
Ludo’.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Anyone working on packaging Firejail?
2018-12-21 15:39 ` Eric Bavier
` (3 preceding siblings ...)
2018-12-21 20:56 ` Ludovic Courtès
@ 2018-12-21 20:58 ` Ludovic Courtès
4 siblings, 0 replies; 11+ messages in thread
From: Ludovic Courtès @ 2018-12-21 20:58 UTC (permalink / raw)
To: Eric Bavier; +Cc: guix-devel, Joshua Branson
Hi Eric,
Eric Bavier <ericbavier@centurylink.net> skribis:
> On Thu, 20 Dec 2018 11:19:07 -0500
[...]
>> > Run icecat, a browser, in a container with
>> >
>> > guix environment --container --network --share=/tmp/.X11-unix
>> > --ad-hoc icecat
>> > export DISPLAY=":0.0"
>> > icecat
>>
>> Is there a way to do this automatically? ie: you don't have to type
>> guix environment --container .... icecat? You just type "icecat?"
>
> That is the major advantage Firejail has over 'guix environment
> --container' currently. It contains a large collection of "profiles"
> for different applications, specifying how exactly to jail them so that
> they can still function.
We also discussed “guix run icecat” as a simpler option:
https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html
‘guix run’ can guess parts of the profile, like whether the application
needs X11 or Fontconfig stuff, just by looking at the references of the
application. That said, I’m curious to see what the Firejail profiles
look like and to what extent we’d need to manually annotate packages if
we were to provide similar functionality.
Firejail looks nice!
Ludo’.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2018-12-21 22:33 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-20 5:50 Anyone working on packaging Firejail? swedebugia
2018-12-20 7:53 ` Pierre Neidhardt
2018-12-20 12:17 ` swedebugia
2018-12-20 12:28 ` swedebugia
2018-12-20 16:19 ` Joshua Branson
2018-12-21 15:39 ` Eric Bavier
2018-12-21 20:55 ` Ludovic Courtès
2018-12-21 20:56 ` Ludovic Courtès
2018-12-21 20:56 ` Ludovic Courtès
2018-12-21 20:56 ` Ludovic Courtès
2018-12-21 20:58 ` Ludovic Courtès
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).