* Anyone working on packaging Firejail? @ 2018-12-20 5:50 swedebugia 2018-12-20 7:53 ` Pierre Neidhardt 0 siblings, 1 reply; 11+ messages in thread From: swedebugia @ 2018-12-20 5:50 UTC (permalink / raw) To: guix-devel https://firejail.wordpress.com/ Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. The program is released under GPL v2 license. Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes security profiles for a large number of Linux programs: Mozilla Firefox, Chromium, VLC, Transmission etc. To start the sandbox, prefix your command with “firejail”: $ firejail firefox # starting Mozilla Firefox $ firejail transmission-gtk # starting Transmission BitTorrent $ firejail vlc # starting VideoLAN Client $ sudo firejail /etc/init.d/nginx start # starting nginx web server -- Cheers Swedebugia ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Anyone working on packaging Firejail? 2018-12-20 5:50 Anyone working on packaging Firejail? swedebugia @ 2018-12-20 7:53 ` Pierre Neidhardt 2018-12-20 12:17 ` swedebugia 0 siblings, 1 reply; 11+ messages in thread From: Pierre Neidhardt @ 2018-12-20 7:53 UTC (permalink / raw) To: swedebugia; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 122 bytes --] Can anyone weigh the pros and cons between Firejail and Guix containers? -- Pierre Neidhardt https://ambrevar.xyz/ [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 487 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Anyone working on packaging Firejail? 2018-12-20 7:53 ` Pierre Neidhardt @ 2018-12-20 12:17 ` swedebugia 2018-12-20 12:28 ` swedebugia 0 siblings, 1 reply; 11+ messages in thread From: swedebugia @ 2018-12-20 12:17 UTC (permalink / raw) To: Pierre Neidhardt; +Cc: guix-devel On 2018-12-20 08:53, Pierre Neidhardt wrote: > Can anyone weigh the pros and cons between Firejail and Guix containers? > Yeah, good idea. Is guix container using kernel namespaces? Our manual[1] did not say. If yes then I think we should advertise this on the front page! A run your browser in a container example script would also be nice. I think we already have all the features beside the gui of firetools. :D -- Cheers Swedebugia 1 https://www.gnu.org/software/guix/manual/en/html_node/Invoking-guix-container.html#Invoking-guix-container ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Anyone working on packaging Firejail? 2018-12-20 12:17 ` swedebugia @ 2018-12-20 12:28 ` swedebugia 2018-12-20 16:19 ` Joshua Branson 0 siblings, 1 reply; 11+ messages in thread From: swedebugia @ 2018-12-20 12:28 UTC (permalink / raw) To: Pierre Neidhardt; +Cc: guix-devel On 2018-12-20 13:17, swedebugia wrote: > On 2018-12-20 08:53, Pierre Neidhardt wrote: >> Can anyone weigh the pros and cons between Firejail and Guix containers? >> > > Yeah, good idea. > > Is guix container using kernel namespaces? > > Our manual[1] did not say. If yes then I think we should advertise this > on the front page! > > A run your browser in a container example script would also be nice. > > I think we already have all the features beside the gui of firetools. :D > Found this! Run icecat, a browser, in a container with guix environment --container --network --share=/tmp/.X11-unix --ad-hoc icecat export DISPLAY=":0.0" icecat https://github.com/pjotrp/guix-notes/blob/master/CONTAINERS.org#browser -- Cheers Swedebugia ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Anyone working on packaging Firejail? 2018-12-20 12:28 ` swedebugia @ 2018-12-20 16:19 ` Joshua Branson 2018-12-21 15:39 ` Eric Bavier 0 siblings, 1 reply; 11+ messages in thread From: Joshua Branson @ 2018-12-20 16:19 UTC (permalink / raw) To: guix-devel swedebugia <swedebugia@riseup.net> writes: > On 2018-12-20 13:17, swedebugia wrote: >> On 2018-12-20 08:53, Pierre Neidhardt wrote: >>> Can anyone weigh the pros and cons between Firejail and Guix containers? >>> >> >> Yeah, good idea. >> >> Is guix container using kernel namespaces? >> >> Our manual[1] did not say. If yes then I think we should advertise >> this on the front page! >> >> A run your browser in a container example script would also be nice. >> >> I think we already have all the features beside the gui of firetools. :D >> > > Found this! > > Run icecat, a browser, in a container with > > guix environment --container --network --share=/tmp/.X11-unix > --ad-hoc icecat > export DISPLAY=":0.0" > icecat Is there a way to do this automatically? ie: you don't have to type guix environment --container .... icecat? You just type "icecat?" Thanks > > https://github.com/pjotrp/guix-notes/blob/master/CONTAINERS.org#browser -- Joshua Branson Sent from Emacs and Gnus ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Anyone working on packaging Firejail? 2018-12-20 16:19 ` Joshua Branson @ 2018-12-21 15:39 ` Eric Bavier 2018-12-21 20:55 ` Ludovic Courtès ` (4 more replies) 0 siblings, 5 replies; 11+ messages in thread From: Eric Bavier @ 2018-12-21 15:39 UTC (permalink / raw) To: Joshua Branson; +Cc: guix-devel [-- Attachment #1: Type: text/plain, Size: 1425 bytes --] On Thu, 20 Dec 2018 11:19:07 -0500 Joshua Branson <jbranso@dismail.de> wrote: > swedebugia <swedebugia@riseup.net> writes: > > > On 2018-12-20 13:17, swedebugia wrote: > >> On 2018-12-20 08:53, Pierre Neidhardt wrote: > >>> Can anyone weigh the pros and cons between Firejail and Guix containers? > >>> > >> > >> Yeah, good idea. > >> > >> Is guix container using kernel namespaces? > >> > >> Our manual[1] did not say. If yes then I think we should advertise > >> this on the front page! > >> > >> A run your browser in a container example script would also be nice. > >> > >> I think we already have all the features beside the gui of firetools. :D > >> > > > > Found this! > > > > Run icecat, a browser, in a container with > > > > guix environment --container --network --share=/tmp/.X11-unix > > --ad-hoc icecat > > export DISPLAY=":0.0" > > icecat > > Is there a way to do this automatically? ie: you don't have to type > guix environment --container .... icecat? You just type "icecat?" That is the major advantage Firejail has over 'guix environment --container' currently. It contains a large collection of "profiles" for different applications, specifying how exactly to jail them so that they can still function. I believe we'd be able to achieve something similar with some sort of "environment configuration" manifest-type thing. `~Eric [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Anyone working on packaging Firejail? 2018-12-21 15:39 ` Eric Bavier @ 2018-12-21 20:55 ` Ludovic Courtès 2018-12-21 20:56 ` Ludovic Courtès ` (3 subsequent siblings) 4 siblings, 0 replies; 11+ messages in thread From: Ludovic Courtès @ 2018-12-21 20:55 UTC (permalink / raw) To: Eric Bavier; +Cc: guix-devel, Joshua Branson Hi Eric, Eric Bavier <ericbavier@centurylink.net> skribis: > On Thu, 20 Dec 2018 11:19:07 -0500 [...] >> > Run icecat, a browser, in a container with >> > >> > guix environment --container --network --share=/tmp/.X11-unix >> > --ad-hoc icecat >> > export DISPLAY=":0.0" >> > icecat >> >> Is there a way to do this automatically? ie: you don't have to type >> guix environment --container .... icecat? You just type "icecat?" > > That is the major advantage Firejail has over 'guix environment > --container' currently. It contains a large collection of "profiles" > for different applications, specifying how exactly to jail them so that > they can still function. We also discussed “guix run icecat” as a simpler option: https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html ‘guix run’ can guess parts of the profile, like whether the application needs X11 or Fontconfig stuff, just by looking at the references of the application. That said, I’m curious to see what the Firejail profiles look like and to what extent we’d need to manually annotate packages if we were to provide similar functionality. Firejail looks nice! Ludo’. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Anyone working on packaging Firejail? 2018-12-21 15:39 ` Eric Bavier 2018-12-21 20:55 ` Ludovic Courtès @ 2018-12-21 20:56 ` Ludovic Courtès 2018-12-21 20:56 ` Ludovic Courtès ` (2 subsequent siblings) 4 siblings, 0 replies; 11+ messages in thread From: Ludovic Courtès @ 2018-12-21 20:56 UTC (permalink / raw) To: Eric Bavier; +Cc: guix-devel, Joshua Branson Hi Eric, Eric Bavier <ericbavier@centurylink.net> skribis: > On Thu, 20 Dec 2018 11:19:07 -0500 [...] >> > Run icecat, a browser, in a container with >> > >> > guix environment --container --network --share=/tmp/.X11-unix >> > --ad-hoc icecat >> > export DISPLAY=":0.0" >> > icecat >> >> Is there a way to do this automatically? ie: you don't have to type >> guix environment --container .... icecat? You just type "icecat?" > > That is the major advantage Firejail has over 'guix environment > --container' currently. It contains a large collection of "profiles" > for different applications, specifying how exactly to jail them so that > they can still function. We also discussed “guix run icecat” as a simpler option: https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html ‘guix run’ can guess parts of the profile, like whether the application needs X11 or Fontconfig stuff, just by looking at the references of the application. That said, I’m curious to see what the Firejail profiles look like and to what extent we’d need to manually annotate packages if we were to provide similar functionality. Firejail looks nice! Ludo’. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Anyone working on packaging Firejail? 2018-12-21 15:39 ` Eric Bavier 2018-12-21 20:55 ` Ludovic Courtès 2018-12-21 20:56 ` Ludovic Courtès @ 2018-12-21 20:56 ` Ludovic Courtès 2018-12-21 20:56 ` Ludovic Courtès 2018-12-21 20:58 ` Ludovic Courtès 4 siblings, 0 replies; 11+ messages in thread From: Ludovic Courtès @ 2018-12-21 20:56 UTC (permalink / raw) To: Eric Bavier; +Cc: guix-devel, Joshua Branson Hi Eric, Eric Bavier <ericbavier@centurylink.net> skribis: > On Thu, 20 Dec 2018 11:19:07 -0500 [...] >> > Run icecat, a browser, in a container with >> > >> > guix environment --container --network --share=/tmp/.X11-unix >> > --ad-hoc icecat >> > export DISPLAY=":0.0" >> > icecat >> >> Is there a way to do this automatically? ie: you don't have to type >> guix environment --container .... icecat? You just type "icecat?" > > That is the major advantage Firejail has over 'guix environment > --container' currently. It contains a large collection of "profiles" > for different applications, specifying how exactly to jail them so that > they can still function. We also discussed “guix run icecat” as a simpler option: https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html ‘guix run’ can guess parts of the profile, like whether the application needs X11 or Fontconfig stuff, just by looking at the references of the application. That said, I’m curious to see what the Firejail profiles look like and to what extent we’d need to manually annotate packages if we were to provide similar functionality. Firejail looks nice! Ludo’. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Anyone working on packaging Firejail? 2018-12-21 15:39 ` Eric Bavier ` (2 preceding siblings ...) 2018-12-21 20:56 ` Ludovic Courtès @ 2018-12-21 20:56 ` Ludovic Courtès 2018-12-21 20:58 ` Ludovic Courtès 4 siblings, 0 replies; 11+ messages in thread From: Ludovic Courtès @ 2018-12-21 20:56 UTC (permalink / raw) To: Eric Bavier; +Cc: guix-devel, Joshua Branson Hi Eric, Eric Bavier <ericbavier@centurylink.net> skribis: > On Thu, 20 Dec 2018 11:19:07 -0500 [...] >> > Run icecat, a browser, in a container with >> > >> > guix environment --container --network --share=/tmp/.X11-unix >> > --ad-hoc icecat >> > export DISPLAY=":0.0" >> > icecat >> >> Is there a way to do this automatically? ie: you don't have to type >> guix environment --container .... icecat? You just type "icecat?" > > That is the major advantage Firejail has over 'guix environment > --container' currently. It contains a large collection of "profiles" > for different applications, specifying how exactly to jail them so that > they can still function. We also discussed “guix run icecat” as a simpler option: https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html ‘guix run’ can guess parts of the profile, like whether the application needs X11 or Fontconfig stuff, just by looking at the references of the application. That said, I’m curious to see what the Firejail profiles look like and to what extent we’d need to manually annotate packages if we were to provide similar functionality. Firejail looks nice! Ludo’. ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Anyone working on packaging Firejail? 2018-12-21 15:39 ` Eric Bavier ` (3 preceding siblings ...) 2018-12-21 20:56 ` Ludovic Courtès @ 2018-12-21 20:58 ` Ludovic Courtès 4 siblings, 0 replies; 11+ messages in thread From: Ludovic Courtès @ 2018-12-21 20:58 UTC (permalink / raw) To: Eric Bavier; +Cc: guix-devel, Joshua Branson Hi Eric, Eric Bavier <ericbavier@centurylink.net> skribis: > On Thu, 20 Dec 2018 11:19:07 -0500 [...] >> > Run icecat, a browser, in a container with >> > >> > guix environment --container --network --share=/tmp/.X11-unix >> > --ad-hoc icecat >> > export DISPLAY=":0.0" >> > icecat >> >> Is there a way to do this automatically? ie: you don't have to type >> guix environment --container .... icecat? You just type "icecat?" > > That is the major advantage Firejail has over 'guix environment > --container' currently. It contains a large collection of "profiles" > for different applications, specifying how exactly to jail them so that > they can still function. We also discussed “guix run icecat” as a simpler option: https://lists.gnu.org/archive/html/help-guix/2018-01/msg00108.html ‘guix run’ can guess parts of the profile, like whether the application needs X11 or Fontconfig stuff, just by looking at the references of the application. That said, I’m curious to see what the Firejail profiles look like and to what extent we’d need to manually annotate packages if we were to provide similar functionality. Firejail looks nice! Ludo’. ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2018-12-21 22:33 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-12-20 5:50 Anyone working on packaging Firejail? swedebugia 2018-12-20 7:53 ` Pierre Neidhardt 2018-12-20 12:17 ` swedebugia 2018-12-20 12:28 ` swedebugia 2018-12-20 16:19 ` Joshua Branson 2018-12-21 15:39 ` Eric Bavier 2018-12-21 20:55 ` Ludovic Courtès 2018-12-21 20:56 ` Ludovic Courtès 2018-12-21 20:56 ` Ludovic Courtès 2018-12-21 20:56 ` Ludovic Courtès 2018-12-21 20:58 ` Ludovic Courtès
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/guix.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.