From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:58982)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1esuTy-00034c-P6
	for guix-patches@gnu.org; Mon, 05 Mar 2018 13:05:11 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1esuTu-0004Ab-HV
	for guix-patches@gnu.org; Mon, 05 Mar 2018 13:05:06 -0500
Received: from debbugs.gnu.org ([208.118.235.43]:38273)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1esuTu-0004AT-Dm
	for guix-patches@gnu.org; Mon, 05 Mar 2018 13:05:02 -0500
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1esuTu-0005gA-55
	for guix-patches@gnu.org; Mon, 05 Mar 2018 13:05:02 -0500
Subject: [bug#30256] [PATCH 3/3] scripts: environment: Add --no-cwd.
Resent-Message-ID: <handler.30256.B30256.152027306721786@debbugs.gnu.org>
From: Mike Gerwitz <mtg@gnu.org>
In-Reply-To: <87tvtv32ec.fsf@gnu.org> ("Ludovic
	\=\?utf-8\?Q\?Court\=C3\=A8s\=22'\?\=
	\=\?utf-8\?Q\?s\?\= message of "Sun, 04 Mar 2018 23:24:27 +0100")
Date: Mon, 05 Mar 2018 13:03:39 -0500
Message-ID: <87d10ibds4.fsf@gnu.org>
References: <87vag2wopo.fsf@gnu.org> <cover.1516937216.git.mtg@gnu.org>
	<7bc71eaa3cff48ec7dc0d4fe406dde9482b716a9.1516937216.git.mtg@gnu.org>
	<87tvtyhhnd.fsf@gnu.org> <877equgxx7.fsf@gnu.org>
	<87zi3p9q1w.fsf@gnu.org>
	<87y3j7btwp.fsf@gnu.org> <87tvtv32ec.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Ludovic =?UTF-8?Q?Court=C3=A8s?= <ludo@gnu.org>
Cc: 30256@debbugs.gnu.org

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On Sun, Mar 04, 2018 at 23:24:27 +0100, Ludovic Court=C3=A8s wrote:
> Right.  The =E2=80=98guix run=E2=80=99 script I sent doesn=E2=80=99t try =
to build things; it
> just takes whatever is in $PATH (which has to be in the store,
> ultimately) and runs it.

Oh, great!

>> Obviously the desirable behavior is to just containerize whatever is in
>> your profile, if possible.  Maybe the script you sent me does just
>> that.  I'm excited to play around with it, I just can't atm. :(
>
> You still have to explicitly run =E2=80=98guix run icecat=E2=80=99, which=
 isn=E2=80=99t great:
> if you=E2=80=99re using GNOME Shell and clicking on the icon, you don=E2=
=80=99t get to
> run it in a containerized environment.

Well, I do everything from a shell, so that works for me personally. :)
But yes, what you are describing is important.

But, from a security perspective, I'd like for containerization to be
_guaranteed_, otherwise a malicious script could just subvert it
(e.g. open icecat with an argument to a malicious HTML file).  I used
`guix environment` not only because of its container support, but
because that ensured that icecat wasn't in my profile at all to be
invoked by something else.

Currently, I'd have to write a package definition to add a wrapper; that
wouldn't be done automatically for me.  But considering a functional
package manager, it'd be an interesting problem to try to get around
that.  And you don't want containerized versions of _every_
package---that's some serious bloat.  Unless maybe they're packages that
are generated from existing package definitions (in some
yet-to-be-defined manner), and maybe those packages have a special
containerized output (in addition to `out',
e.g. `icecat:container').  (I suppose short-term, such outputs can be
created manually for select packages.)

Just spewing thoughts.  I'm still not well-versed in Guix.  So maybe
`guix run` is a good starting point and can be used by a wrapper in the
future.  It also allows users to containerize something optionally---for
example, maybe a user doesn't want to containerize their PDF reader, but
if they are opening an untrusted PDF, they'll want to.  A GNOME context
menu option to say "Open in isolated container" (sorta like Qubes)
sounds attractive.

=2D-=20
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJanYZ8AAoJEIyRe39dxRuiv8MP/10bVlqnBbPkk99zpHZODV+v
zK/Q/gfv+aXIMzRUC34H/fVfiy2qeyqBeEmPIvOmJRMYQQjMsPaJKiWl3nPCxofd
BhKSZmkGc7eEHqFxPUOXWeaS9oKAN4bR31TisPteyQzq2nCaXeynnhntI3Uwnc8n
TqjfXO0OMYmXpQAgD4MnOvot84ZJI8sNyd8wiKbrSdThLBsAj49qXrCMRBX67nZ3
aefOQYzcIQknB6ZI+/EcFPV+Hlemswf4fFFUNXJ8aXVzNxY4F4NPQdzdX1mkj1b0
WCeoltkdkQrslNJoE/f5fI+891qpwj0R1ruLXsljasWFxA56MKEwnyGSW+vkJUwb
UUhzHvokJVisiPqk3Qe0ZuIdef3xjigxoriQ/3uW0/NjITbI+MZaWL2rYidP/RWs
QDljkSr2rXbtb6SfZDa+f3PRWB2SYkAG4Y8tORBaaV/g7pbDQim8FVm2GcD/fo/4
sk7VFISeLlT9FWp/8T3NTIdTLHIcpHPob6ZhfH/L6E3LuVFde49V/77xDrXsDulx
sCAh0GtTgMvSK4V7ZQiW+3UKuC7t6kNDqR/V73celO3TvYwVUw8cGgEzEAfwsXKe
R6DasyI65kRt/lJNIf0SoW0FJZBJhs5c7q5WJl7lRTdOVq7GlmmfQkkFIF/eQrSE
qLS6tM8lqvYw4UKRxjwZ
=cVDi
-----END PGP SIGNATURE-----
--=-=-=--