From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christopher Baines Subject: Re: Tracking and inspecting how Guix changes over time Date: Sun, 24 Feb 2019 16:25:34 +0000 Message-ID: <874l8tgnlt.fsf@cbaines.net> References: <87k1ia5sd4.fsf@cbaines.net> <87bm3lrnwm.fsf@gnu.org> <87zhr0u0gn.fsf@cbaines.net> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([209.51.188.92]:38322) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gxwax-000325-7p for guix-devel@gnu.org; Sun, 24 Feb 2019 11:25:40 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gxwaw-0004a8-BU for guix-devel@gnu.org; Sun, 24 Feb 2019 11:25:39 -0500 In-reply-to: <87zhr0u0gn.fsf@cbaines.net> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?utf-8?Q?Court=C3=A8s?= , dthompson2@worcester.edu Cc: guix-devel@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Christopher Baines writes: > Ludovic Court=C3=A8s writes: > >> Hello! >> >> Christopher Baines skribis: >> >>> As far as I can see, guix pull/the channels code directly evaluates some >>> Guile code from the source repository. It would be great if this could >>> somehow be isolated to guard against any malicious patches that try to >>> attack the machine running the Guix Data Service, I haven't thought much >>> about how yet. >>> >>> Similarly, using the inferiors approach to extract out information from >>> Guix requires running a REPL from the target Guix. This could also pose >>> security issues. I was wondering if it was possible to run the REPL >>> within a container, to at least isolate it a bit from the system. >> >> Yes, we should definitely run that code in a container. Note that, for >> =E2=80=98guix pull=E2=80=99, I think it=E2=80=99s OK to run that code on= the user=E2=80=99s machine >> as-is in the sense that the user is going to run code coming from the >> channels they specified anyway. >> >> For an automated system like this, it=E2=80=99s a bit different, so usin= g a >> container makes a lot of sense. I=E2=80=99d suggest having an option di= rectly >> in (guix inferior) to allow users to choose whether to run an inferior >> in separate name spaces. WDYT? > > That sounds great, I'm not quite sure how to make it happen though... > > So inferior-pipe in (guix inferior) uses open-pipe*. The root of the > Linux container code in Guix looks to be run-container (gnu build > linux-container). > > The run-container function uses the clone syscall with the right flags > to isolate the new child process. I've looked at the (ice-9 popen) > module, and the couple of C functions it uses (scm_open_process and > start_child). Calling open-pipe* eventually calls fork, which I think > uses the clone syscall as well. > > I can't quite work out how to combine the two though. I'm unsure how to > add the pipe behaviour to run-container, and it seems infeasible to get > open-pipe* to call fork/clone with the right flags. > > Any ideas? I included David as he appears to have been involved in the > initial container implementation in case he had any wise suggestions. So, I've now got around to looking at this some more. My initial approach was to wrap the pipe/dup2 calls made within the C part of open-pipe*, but while doing this, I discovered that Guile already has wrappers for these things. So, I've now got an initial prototype that I've put up here [1], and I've been able to adjust the guix-data-service to make use of this. I've moved doing the 'guix pull' bit inside the an inferior as well, so all of the code fetched from the internet can be isolated through the inferior. I'm still not sure exactly how much isolation it provides, and I haven't really tested it, apart from hitting issues where the isolation was breaking the code I was trying to make work inside the inferior. Anyway, it's a start. 1: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D34638 --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEEPonu50WOcg2XVOCyXiijOwuE9XcFAlxyxX5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNF ODlFRUU3NDU4RTcyMEQ5NzU0RTBCMjVFMjhBMzNCMEI4NEY1NzcACgkQXiijOwuE 9XdZqw//XO7xBmxQoQ+daL141PsYaZGFCxtht/g4Jb86zhka2oSt1maumLcn+f3w AGwa2j+TTF7BZ3luzdY8Zk9IKU534/r2K9XasOX8XaP6O1b5JM6U9n/8tJESiRPh mnFmx+8WtMIjr7VV1r2n8c7uiBh9jw57KeY90kdTlt0qLU0lTrYbpECjKtdiw3Cn w0MZLMiRnyBe9rJstd1/IVUfzx0QSJUKV9BBWweiP3PRdiaWn2FNSHcyR2my1McK n5A1qABFc4pvn805ZPhiOc/ynWCHNdL+gzDobUIT4X/zOg0jA+cK4u62waW2EBAV doSx6zjt9CW5dCoTE5Ga77XqpAK3FZHh4KQgfmylVVofyre9R6SlgORJvc6ehU6p PW2V6Z3A6sCTT6sqKKKn6vNDlSU/nTyRmgSlEsdQ7FVxWn75B393YJy7a0boDsgA WhAP/nY+TxrSIq46RUfAldZLq0kBlQkmZTo1Aj1AgVzFrILU6/4zWvdPEMVdeuak YQiwgpqO8nIAkJX6EB9x164EcvRCVAbcR6zJVZju9t+Whs/n1g+6QUvgiOa1RC5P o6fh4AFPmHcXCcNOU/U40fIr7AJbsfntzASXwxjAShphFjgToE/umfYeVWb2oCz5 CVQn9eu4KFrIOg9EcpDp7DyKKcfFSc/cmw1L8sfRn6gg2MhLOqk= =Hil6 -----END PGP SIGNATURE----- --=-=-=--