Would it be possible to make launching applications in Guix with minimum permissions even easier? Here's just a sketch of an idea.
Borrowing from the new containerizing an application example in the manual... In my manifest.scm, what if instead of listing the browser package eolie, I listed the following: (define containerized-eolie (wrap-containerized eolie #:network? #t ;; Not sure if this line would be needed. #:other-packages (list coreutils nss-certs dbus) #:expose '("/etc/machine-id") #:share '(("/home/cwebber/tmp/shared-with-browser" . "/home/cwebber/shared")) #:share-env '("DISPLAY"))) ;; now here's my list of packages (list emacs containerized-eolie ...) The idea here is that containerized-eolie actually generates a new package that "wraps" every binary that would be installed, as well as all common launchers, to use a script that actually launches them in a container with the above restrictions. I'm not sure how feasible or easy this is, but it seems like a good idea. If the process of containerizing something tricky like icecat is fairly common, we could abstract that into a procedure, like (make-containerized-icecat ...) or something. Thoughts? - Chris