From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mike Gerwitz Subject: Re: Documenting current state of isolating icecat Date: Wed, 26 Jun 2019 23:13:22 -0400 Message-ID: <87ef3f67ql.fsf@gnu.org> References: <8736jwmgg0.fsf@dustycloud.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:34639) by lists.gnu.org with esmtp (Exim 4.86_2) (envelope-from ) id 1hgKsA-0006xc-IK for help-guix@gnu.org; Wed, 26 Jun 2019 23:14:56 -0400 In-Reply-To: <8736jwmgg0.fsf@dustycloud.org> (Christopher Lemmer Webber's message of "Wed, 26 Jun 2019 12:58:39 -0400") List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Christopher Lemmer Webber Cc: help-guix --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I'd love to be able to get a discussion going on this again. I really wish I had time to spend on this, since it's something I'm really interested in helping with. But I either need to do a lot more research or need the help of people more familiar with Guix than me. On Wed, Jun 26, 2019 at 12:58:39 -0400, Christopher Lemmer Webber wrote: > If you want to have the hairs on the back of your neck stand up and not > lie down for a while, why not read this: > > https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-spear= -phished/ > > Previously there were some threads about isolating icecat and other > graphical applications: > > https://lists.gnu.org/archive/html/help-guix/2018-01/msg00056.html > > However, it's not obvious to me if we have an answer yet on what to do. > Whatever it is, I'd like to do it. > > Could someone point me in the right direction? Much appreciated. > Maybe we should even include it as an example in the documentation? > That could be a big win, and make it clearer to users how Guix comes > with tools that can help empower them. First: I should mention that later on in that thread, I solved the font issues and Ludo provided a script to containerize programs. I unfortunately still haven't had the time to give it a try, and I still have some outstanding issues that I haven't had time to research: 1. XDG_DATA_DIRS=3D$HOME/.guix-local/share is required within the container. Perhaps we should provide a wrapper for icecat to do this automatically, otherwise it's broken by default (broken font rendering). 2. I notice that if I run icecat outside of a container, save to a directory, and then run within a container that does not have such a directory, icecat segfaults. I haven't even looked at a backtrace yet. 3. I haven't researched what may be needed for audio to work. Videos work, but no audio. TBH, this is currently a feature for me. ;) 4. Icecat is significantly less stable. Tabs crash more frequently, especially when dealing with video, and the entire browser will occasionally crash. But it's stable enough for use---I still run it within a container. 5. Attempting to print (just attempting to show the print dialog) immediately segfaults. I don't even have printers configured, so this is at the very bottom of my list of priorities to investigate. 6. /etc/machine-id is required, and could be used to deanonymize users if ever it is leaked within the container. I haven't researched potential mitigations. Otherwise, it seems performant (again, videos play just fine without audio) and works well overall. Here is my current script: #+BEGIN_SRC sh #!/bin/bash mkdir -p /tmp/.icecat-tmp && cd /tmp/.icecat-tmp || exit # .X11-unix and .Xauthority are requird for X11 session sharing with the # host. /etc/machine-id is required for DBUS. The rest is optional, but # .mozilla is ideal for persisting sessions, and .cache for performance. # A unique `Downloads' directory is mounted to keep its eyes away from # anything that might have been downloaded outside this container, though # note that it _will_ have access to downloads from previous sessions (if # you don't want that, then just create a random dir each time). guix environment \ --container \ --link-profile \ --user=3Duser \ --network \ -r "$gc_root" \ --expose=3D/etc/machine-id \ --expose=3D/tmp/.X11-unix/ \ --expose=3D$HOME/.Xauthority \ --expose=3D$HOME/.config/icecat-hosts=3D/etc/hosts \ --share=3D/dev/snd \ --share=3D$HOME/.mozilla/ \ --share=3D$HOME/Downloads/icecat-container/=3D$HOME/Downloads/ \ --ad-hoc mtg-icecat-containerized \ #-- \ #icecat --display=3D:0.0 "$@" \ # || zenity --error \ # --title 'Error starting container' \ # --text 'Icecat failed to start in a container' # #+END_SRC The comments above are so that I enter a shell to manually set XDG_DATA_DIRS---I haven't yet researched the best way to handle that; I'm a packaging noob. :) If someone wouldn't mind enlightening me... The creation of the temporary directory prevents exposing the CWD. That can go away once I can actually get around to addressing Ludo's concerns for my --no-cwd patch... (which was actually just brought up in #guix on Freenode). Here's my package definition for mtg-icecat-containerized: #+BEGIN_SRC scheme (define-module (mtg personal) #:use-module ((guix licenses) #:prefix license:) #:use-module (guix packages) #:use-module (gnu packages) #:use-module (guix build-system trivial) #:use-module (gnu packages gnome) #:use-module (gnu packages gnuzilla) #:use-module (gnu packages fonts) #:use-module (gnu packages fontutils) #:use-module (gnu packages pulseaudio)) (define-public mtg-icecat-containerized (package (name "mtg-icecat-containerized") (version "1.0") (home-page "https://mikegerwitz.com/") (build-system trivial-build-system) (source #f) (native-inputs `(("fontconfig" ,fontconfig))) (arguments `(#:modules ((guix build utils)) #:builder (begin (use-modules (guix build utils)) (let* ((share-dir (string-append %output "/share")) (cache-dir (string-append %output "/var/cache")) (bin-dir (string-append %output "/bin")) (fc-dir (string-append share-dir "/fontconfig/conf.avail= ")) (fc-mtg (string-append fc-dir "/52-mtg-container.conf")) (fc-cache-dir (string-append cache-dir "/fontconfig")) (fonts-dir (string-append share-dir "/fonts"))) ;; container script to invoke IceCat (mkdir-p bin-dir) (call-with-output-file (string-append bin-dir "/icecat-container= ") (lambda (port) (format port "#!/bin/bash"))) ;; fontconfig configuration (mkdir-p fc-dir) (call-with-output-file fc-mtg (lambda (port) (format port (string-append " " (string-append (assoc-ref %build-inputs "font-dejavu") "/share/fonts") "" ;;" (string-append (assoc-ref %build-inputs "font-adobe-source-han-s= ans") ;; "/share/fonts") " " " fc-cache-dir " \n")))) (setenv "PATH" (string-append (assoc-ref %build-inputs "fontconfig") "/bin")) (setenv "FONTCONFIG_FILE" fc-mtg) (setenv "XDG_DATA_HOME" share-dir) (mkdir-p cache-dir) (invoke "fc-cache" "-fv"))))) (propagated-inputs `(("icecat" ,icecat) ("zenity" ,zenity) ("font-dejavu" ,font-dejavu) ;;("pulseaudio" ,pulseaudio) ;;("font-adobe-source-han-sans", font-adobe-source-han-sans) )) (synopsis "GNU IceCat packaged for running within a container") (description "GNU IceCat packaged with various fonts (including multi-lingual). Suitable for use within a container.") (license license:gpl3+))) #+END_SRC It might be in a mangled state, though, because I can't remember where I left off with it. I think `font-adobe-source-han-sans' is only commented out because there weren't substitutes and building it takes forever and is massive. `pulseaudio' was me starting to try to play around with audio, but I made no progress and spent very little time. Hopefully that's a good starting point for others, and again, please check out Ludo's script that I haven't had a chance to. My personal ideal, which I think Ludo shares, is to be able to containerize any program with sane defaults without having to write package definitions like the one above, so he's headed in the right direction. =2D-=20 Mike Gerwitz --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCgAGBQJdFDRSAAoJEIyRe39dxRuiQiIP/jK7NvmgaW7IOkU7QTFaGx4/ AjfrpcPF2uKqSClbiyASQSOD2VJn7DtmURv+FAwgwpeRoT3qfQsKAlNamGex8eO8 eTJwtBL7fB2qYw37CU/f7XqDCdcaWI/Y+AzlgVumEmjR4vfQQ6LKzNrrvI2Pbow5 nnRDsG9SnxKMEJ8/6KmNPTzaMohiZB3BhoQAgufRL+VLDqTswYqlhGUl1TKNJQjH WT0BUnkyO1DBNc8JF03pOa8tlsFGlOV0OHMCnx2VpTWIKuA6loXQv5cq83oecsMg Ux2mDb5p6C2OymENKOxgG9r1xb/eSEXImm5Bk/DPtyL2Ia84RLgO0WzrJ8CDzHrN 0Q9F1rTwIfyCuJq6jP3AYuNoCSFq3ySuDSMNJ947VwvxphBEkhzzC41r4A8O2gWj X+V03bLj3M2Xp4tRIud1xC3llpCFI9D5Kz1iE91sFMbnTC07+E0m6g57/gQbVdDk OnICQ2wXn+KlBtLEFm6E9f1Qrcl2stlkygiyT26kKVWsrMOAoOfL5JQ3pbzu13hF AMv7ygYXcQsH6yltoL/ceKiN/hGx0JrVOOHo5Ol1WsLCWckWo3Hs3z89GiVQja4b vDfMdELTAQGeehnMELOCr3CGoJhpuoNbxmFG667EGDC3EWxx3boaH8NP3g2KdrUI VhcrsShBmSEY+M/5bHnn =Blmw -----END PGP SIGNATURE----- --=-=-=--