A way to make gnu guix system support firejail and apparmor #6510
amano-kenji
started this conversation in
Ideas
Replies: 1 comment
-
|
It seems that I should just make guix add relevant /gnu/store directories to existing application profiles. I'm just going to keep it simple. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Firejail
I guess firejail profiles can be used without modifications on gnu guix system, but existing firejail profiles don't whitelist directories in /gnu/store. Thus, executables and application data files in /gnu/store will be exposed.
I discovered that there are ways to make gnu guix system add the relevant directores in /gnu/store as whitelist items to firejail.
For example, a guix script written in guile scheme can run
This script can be pre-rendered as a new firejail profile inside a guix package. You just need to add a few more whitelist items to existing firejail profiles, but existing firejail profiles are somewhat inefficient on gnu guix system because they assume file hierarchy standard.
For example, /usr/share/irssi doesn't exist on gnu guix system. On gnu guix system is /gnu/store/xxxxxx-irssi-11.1/usr/share/irssi. Guix is going to whitelist /gnu/store/xxxxxx-irssi-11.1 anyway.
A bunch of unnecessary whitelist items and unnecessary blacklist items from existing firejail profiles are inefficient, but the alternative is to maintain separate firejail profiles for gnu guix.
Apparmor
Gnu guix system can calculate which /gnu/store directories are required. Thus, a guix package can dynamically generate modifications to existing apparmor profiles written for other linux distributions.
Summary
For both firejail and apparmor, there are two approaches.
I suppose nix can do something similar, but nix language may not be flexible enough to allow this.
Beta Was this translation helpful? Give feedback.
All reactions