From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rutger Helling Subject: Graphically isolating Guix containers with Xpra. Date: Fri, 16 Feb 2018 11:47:53 +0100 Message-ID: <20180216114753.0cd0d28b@mykolab.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/x4MC31aTVnzEyXKD+=sd8Pe"; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:45720) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1emdYp-00018S-0I for guix-devel@gnu.org; Fri, 16 Feb 2018 05:48:11 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1emdYk-0006Bl-UW for guix-devel@gnu.org; Fri, 16 Feb 2018 05:48:11 -0500 Received: from mx.kolabnow.com ([95.128.36.42]:20708) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1emdYk-00069y-J8 for guix-devel@gnu.org; Fri, 16 Feb 2018 05:48:06 -0500 Received: from localhost (unknown [127.0.0.1]) by ext-mx-out003.mykolab.com (Postfix) with ESMTP id CFFA8403B9 for ; Fri, 16 Feb 2018 11:48:04 +0100 (CET) Received: from mx.kolabnow.com ([127.0.0.1]) by localhost (ext-mx-out003.mykolab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kHOyap90c7EN for ; Fri, 16 Feb 2018 11:48:04 +0100 (CET) Received: from int-mx001.mykolab.com (unknown [10.9.13.1]) by ext-mx-out003.mykolab.com (Postfix) with ESMTPS id 6BA33400F6 for ; Fri, 16 Feb 2018 11:48:04 +0100 (CET) Received: from ext-subm002.mykolab.com (unknown [10.9.6.2]) by int-mx001.mykolab.com (Postfix) with ESMTPS id 50BC71D0 for ; Fri, 16 Feb 2018 11:48:04 +0100 (CET) List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --Sig_/x4MC31aTVnzEyXKD+=sd8Pe Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable Hey Guix, Here's a small tip for how you can create graphically isolated containers w= ith Guix and Xpra. First we create a Xpra server, with no clipboard access. $ xpra start --clipboard=3Dno :200 Next we switch to an empty tmp directory, and start a Guix container that h= as access to the X200 socket only. $ cd tmp $ guix environment -C --ad-hoc coreutils gedit --expose=3D/home/$USER/.Xaut= hority --expose=3D/tmp/.X11-unix/X200 -- env DISPLAY=3D:200 XAUTHORITY=3D/h= ome/$USER/.Xauthority gedit On a different terminal (or over SSH) you can now access the Xpra server. $ xpra attach :200 Note that in order to be fully isolated the container should not be able to= access even abstract sockets. You can either run the container without the -N switch, or create a new net= work namespace with a veth or something like that. With the following command you can check the sockets. No X11 sockets other = than the Xpra one should be shown. $ ss | grep X11 Once Wayland becomes widely used this will probably be redundant, since the= isolation in Wayland is far better than X11. But this might still be usefu= l. --Sig_/x4MC31aTVnzEyXKD+=sd8Pe Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEAVThuRzJ2e93ZI3n86cn20T8yjYFAlqGttkACgkQ86cn20T8 yjYudgf+P+GNnNUkgs4MJBITZFagAdadPvOI40K60z9zSa/8cwkjGOwwEK1hC6vb 8o3dk8TJn7+tvqHciGBcujljYKk3kXEaollBGP1HaZhzTevjLP/JuEZW7VPsJ+vg kcuYnKBNuSRp66rSuavEVJW3CMjBnhZsjkabgFZEc9xukG5q3tYWIeHsnXLqVHX0 CFUT3rMrb1T7kyi4MzfeqE0/yhgz3+1wQz+9UF801UderpBunLVv44UA4OOcR97d ENQ13KuPC3SbHafJA0+ERjEejDY4bW4bGaQ7qza78h0e4LJQ5NweuREbV4ZUtsVF 3YHjHmW92tfRJEpOh9aRLc7CbHli3Q== =DZnF -----END PGP SIGNATURE----- --Sig_/x4MC31aTVnzEyXKD+=sd8Pe--