On 4/28/25 6:41 PM, Zack Weinberg wrote:
On Mon, Apr 28, 2025, at 3:54 PM, gfp wrote:
does anybody use firejail? what experiences do you have?
I experimented with firejail (not on Guix) several years ago. I found it
not to have been written with anything like the level of software
engineering rigor required of security critical programs. I wasn't
curious enough to put a PoC exploit together, but I'm pretty sure it
could, at the time, have easily been exploited: not just to escape the
sandboxing but to gain root privileges.
Unless something major has changed since I would strongly discourage
using it at all.
zw
I packaged firejail a while ago for guix. It does work, but the
profiles have not been tested. You should also look into guix
containers for system isolation specific to guix.
