From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:39549) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1et9iU-0000pW-TO for guix-patches@gnu.org; Tue, 06 Mar 2018 05:21:08 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1et9iQ-0000Gn-Qj for guix-patches@gnu.org; Tue, 06 Mar 2018 05:21:06 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:38952) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1et9iQ-0000Gg-ME for guix-patches@gnu.org; Tue, 06 Mar 2018 05:21:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1et9iQ-0000PL-E0 for guix-patches@gnu.org; Tue, 06 Mar 2018 05:21:02 -0500 Subject: [bug#30256] [PATCH 3/3] scripts: environment: Add --no-cwd. Resent-Message-ID: From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) In-Reply-To: <87d10ibds4.fsf@gnu.org> (Mike Gerwitz's message of "Mon, 05 Mar 2018 13:03:39 -0500") References: <87vag2wopo.fsf@gnu.org> <7bc71eaa3cff48ec7dc0d4fe406dde9482b716a9.1516937216.git.mtg@gnu.org> <87tvtyhhnd.fsf@gnu.org> <877equgxx7.fsf@gnu.org> <87zi3p9q1w.fsf@gnu.org> <87y3j7btwp.fsf@gnu.org> <87tvtv32ec.fsf@gnu.org> <87d10ibds4.fsf@gnu.org> Date: Tue, 06 Mar 2018 11:20:23 +0100 Message-ID: <878tb5zes8.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: Mike Gerwitz Cc: 30256@debbugs.gnu.org Hello, Mike Gerwitz skribis: > On Sun, Mar 04, 2018 at 23:24:27 +0100, Ludovic Court=C3=A8s wrote: [...] >> You still have to explicitly run =E2=80=98guix run icecat=E2=80=99, whic= h isn=E2=80=99t great: >> if you=E2=80=99re using GNOME Shell and clicking on the icon, you don=E2= =80=99t get to >> run it in a containerized environment. > > Well, I do everything from a shell, so that works for me personally. :) > But yes, what you are describing is important. > > But, from a security perspective, I'd like for containerization to be > _guaranteed_, otherwise a malicious script could just subvert it > (e.g. open icecat with an argument to a malicious HTML file). I used > `guix environment` not only because of its container support, but > because that ensured that icecat wasn't in my profile at all to be > invoked by something else. Good point. > Currently, I'd have to write a package definition to add a wrapper; that > wouldn't be done automatically for me. But considering a functional > package manager, it'd be an interesting problem to try to get around > that. And you don't want containerized versions of _every_ > package---that's some serious bloat. Unless maybe they're packages that > are generated from existing package definitions (in some > yet-to-be-defined manner), and maybe those packages have a special > containerized output (in addition to `out', > e.g. `icecat:container'). (I suppose short-term, such outputs can be > created manually for select packages.) I was thinking =E2=80=98guix package=E2=80=99 could create those wrappers a= utomatically based on a number of criteria: a package property could request containerization, command-line options could disable that, and so on. > Just spewing thoughts. I'm still not well-versed in Guix. So maybe > `guix run` is a good starting point and can be used by a wrapper in the > future. It also allows users to containerize something optionally---for > example, maybe a user doesn't want to containerize their PDF reader, but > if they are opening an untrusted PDF, they'll want to. A GNOME context > menu option to say "Open in isolated container" (sorta like Qubes) > sounds attractive. Yeah, though I very much think least authority would be a better default than ambient authority. :-) Ludo=E2=80=99.