I'd love to be able to get a discussion going on this again. I really
wish I had time to spend on this, since it's something I'm really
interested in helping with. But I either need to do a lot more research
or need the help of people more familiar with Guix than me.
On Wed, Jun 26, 2019 at 12:58:39 -0400, Christopher Lemmer Webber wrote:
> If you want to have the hairs on the back of your neck stand up and not
> lie down for a while, why not read this:
>
>
> https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-spear-phished/
>
> Previously there were some threads about isolating icecat and other
> graphical applications:
>
> https://lists.gnu.org/archive/html/help-guix/2018-01/msg00056.html
>
> However, it's not obvious to me if we have an answer yet on what to do.
> Whatever it is, I'd like to do it.
>
> Could someone point me in the right direction? Much appreciated.
> Maybe we should even include it as an example in the documentation?
> That could be a big win, and make it clearer to users how Guix comes
> with tools that can help empower them.
First: I should mention that later on in that thread, I solved the font
issues and Ludo provided a script to containerize programs. I
unfortunately still haven't had the time to give it a try, and I still
have some outstanding issues that I haven't had time to research:
1. XDG_DATA_DIRS=$HOME/.guix-local/share is required within the
container. Perhaps we should provide a wrapper for icecat to do this
automatically, otherwise it's broken by default (broken font
rendering).
2. I notice that if I run icecat outside of a container, save to a
directory, and then run within a container that does not have such a
directory, icecat segfaults. I haven't even looked at a backtrace
yet.
3. I haven't researched what may be needed for audio to work. Videos
work, but no audio. TBH, this is currently a feature for me. ;)
4. Icecat is significantly less stable. Tabs crash more frequently,
especially when dealing with video, and the entire browser will
occasionally crash. But it's stable enough for use---I still run it
within a container.
5. Attempting to print (just attempting to show the print dialog)
immediately segfaults. I don't even have printers configured, so this
is at the very bottom of my list of priorities to investigate.
6. /etc/machine-id is required, and could be used to deanonymize users
if ever it is leaked within the container. I haven't researched
potential mitigations.
Otherwise, it seems performant (again, videos play just fine without
audio) and works well overall.
Here is my current script:
#+BEGIN_SRC sh
#!/bin/bash
mkdir -p /tmp/.icecat-tmp && cd /tmp/.icecat-tmp || exit
# .X11-unix and .Xauthority are requird for X11 session sharing with the
# host. /etc/machine-id is required for DBUS. The rest is optional, but
# .mozilla is ideal for persisting sessions, and .cache for performance.
# A unique `Downloads' directory is mounted to keep its eyes away from
# anything that might have been downloaded outside this container, though
# note that it _will_ have access to downloads from previous sessions (if
# you don't want that, then just create a random dir each time).
guix environment \
--container \
--link-profile \
--user=user \
--network \
-r "$gc_root" \
--expose=/etc/machine-id \
--expose=/tmp/.X11-unix/ \
--expose=$HOME/.Xauthority \
--expose=$HOME/.config/icecat-hosts=/etc/hosts \
--share=/dev/snd \
--share=$HOME/.mozilla/ \
--share=$HOME/Downloads/icecat-container/=$HOME/Downloads/ \
--ad-hoc mtg-icecat-containerized \
#-- \
#icecat --display=:0.0 "$@" \
# || zenity --error \
#--title 'Error starting container' \
#--text 'Icecat failed to start in a container'
#
#+END_SRC
The comments above are so that I enter a shell to manually set
XDG_DATA_DIRS---I haven't yet researched the best way to handle that;
I'm a packaging noob. :) If someone wouldn't mind enlightening me...
The creation of the temporary directory prevents exposing the CWD. That
can go away once I can actually get around to addressing Ludo's concerns
for my --no-cwd patch... (which was actually just brought up in #guix on
Freenode).
Here's my package definition for mtg-icecat-containerized:
#+BEGIN_SRC scheme
(define-module (mtg personal)
#:use-module ((guix licenses) #:prefix license:)
#:use-module (guix packages)
#:use-module (gnu packages)
#:use-module (guix build-system trivial)
#:use-module (gnu packages gnome)
#:use-module (gnu packages gnuzilla)
#:use-module (gnu packages fonts)
#:use-module (gnu packages fontutils)
#:use-module (gnu packages pulseaudio))
(define-public mtg-icecat-containerized
(package
(name "mtg-icecat-containerized")
(version "1.0")
(home-page "https://mikegerwitz.com/";)
(build-system trivial-build-system)
(source #f)
(native-i