Hi Guix! Those who didn’t have the luck to be at FOSDEM missed this not-so-visual demo I made of a Shepherd service running in a container. :-)
I’ve polished the thing on my way back and pushed the result, using BitlBee as an example: http://git.savannah.gnu.org/cgit/guix.git/commit/?id=63302a4e55241a41eab4c21d7af9fbd0d5817459 http://git.savannah.gnu.org/cgit/guix.git/commit/?id=a062b6ca99ad61c9df473fe49a93d69f9698c59d It works nicely! The BitlBee daemon shares its network and user namespaces with the system but otherwise has a private /tmp and a private /var/run and only has access to /var/lib/bitlbee and /gnu/store. It should make it harder for an attacker to usefully exploit a remote code execution vulnerability such as the one recently reported¹. Of course BitlBee is a simple example, but I think it’d be nice to investigate what it takes to do the same for other services in the future. I’d like to write a post about it at some point. Ludo’. ¹ https://bugs.bitlbee.org/ticket/1281
