Would it be possible to make launching applications in Guix with minimum
permissions even easier? Here's just a sketch of an idea.
Borrowing from the new containerizing an application example in the
manual...
In my manifest.scm, what if instead of listing the browser package
eolie, I listed the following:
(define containerized-eolie
(wrap-containerized eolie
#:network? #t
;; Not sure if this line would be needed.
#:other-packages (list coreutils nss-certs dbus)
#:expose '("/etc/machine-id")
#:share '(("/home/cwebber/tmp/shared-with-browser"
. "/home/cwebber/shared"))
#:share-env '("DISPLAY")))
;; now here's my list of packages
(list emacs
containerized-eolie
...)
The idea here is that containerized-eolie actually generates a new
package that "wraps" every binary that would be installed, as well as
all common launchers, to use a script that actually launches them in a
container with the above restrictions.
I'm not sure how feasible or easy this is, but it seems like a good
idea.
If the process of containerizing something tricky like icecat is fairly
common, we could abstract that into a procedure, like
(make-containerized-icecat ...) or something.
Thoughts?
- Chris
