Re: Documenting current state of isolating icecat

[Mike Gerwitz]

I'd love to be able to get a discussion going on this again.  I really
wish I had time to spend on this, since it's something I'm really
interested in helping with.  But I either need to do a lot more research
or need the help of people more familiar with Guix than me.

On Wed, Jun 26, 2019 at 12:58:39 -0400, Christopher Lemmer Webber wrote:
> If you want to have the hairs on the back of your neck stand up and not
> lie down for a while, why not read this:
>
>   
> https://robertheaton.com/2019/06/24/i-was-7-words-away-from-being-spear-phished/
>
> Previously there were some threads about isolating icecat and other
> graphical applications:
>
>   https://lists.gnu.org/archive/html/help-guix/2018-01/msg00056.html
>
> However, it's not obvious to me if we have an answer yet on what to do.
> Whatever it is, I'd like to do it.
>
> Could someone point me in the right direction?  Much appreciated.
> Maybe we should even include it as an example in the documentation?
> That could be a big win, and make it clearer to users how Guix comes
> with tools that can help empower them.

First: I should mention that later on in that thread, I solved the font
issues and Ludo provided a script to containerize programs.  I
unfortunately still haven't had the time to give it a try, and I still
have some outstanding issues that I haven't had time to research:

1. XDG_DATA_DIRS=$HOME/.guix-local/share is required within the
   container.  Perhaps we should provide a wrapper for icecat to do this
   automatically, otherwise it's broken by default (broken font
   rendering).

2. I notice that if I run icecat outside of a container, save to a
   directory, and then run within a container that does not have such a
   directory, icecat segfaults.  I haven't even looked at a backtrace
   yet.

3. I haven't researched what may be needed for audio to work.  Videos
   work, but no audio.  TBH, this is currently a feature for me. ;)

4. Icecat is significantly less stable.  Tabs crash more frequently,
   especially when dealing with video, and the entire browser will
   occasionally crash.  But it's stable enough for use---I still run it
   within a container.

5. Attempting to print (just attempting to show the print dialog)
   immediately segfaults.  I don't even have printers configured, so this
   is at the very bottom of my list of priorities to investigate.

6. /etc/machine-id is required, and could be used to deanonymize users
   if ever it is leaked within the container.  I haven't researched
   potential mitigations.

Otherwise, it seems performant (again, videos play just fine without
audio) and works well overall.

Here is my current script:

#+BEGIN_SRC sh
#!/bin/bash

mkdir -p /tmp/.icecat-tmp && cd /tmp/.icecat-tmp || exit

# .X11-unix and .Xauthority are requird for X11 session sharing with the
# host.  /etc/machine-id is required for DBUS.  The rest is optional, but
# .mozilla is ideal for persisting sessions, and .cache for performance.
# A unique `Downloads' directory is mounted to keep its eyes away from
# anything that might have been downloaded outside this container, though
# note that it _will_ have access to downloads from previous sessions (if
# you don't want that, then just create a random dir each time).
guix environment \
     --container \
     --link-profile \
     --user=user \
     --network \
     -r "$gc_root" \
     --expose=/etc/machine-id \
     --expose=/tmp/.X11-unix/ \
     --expose=$HOME/.Xauthority \
     --expose=$HOME/.config/icecat-hosts=/etc/hosts \
     --share=/dev/snd \
     --share=$HOME/.mozilla/ \
     --share=$HOME/Downloads/icecat-container/=$HOME/Downloads/ \
     --ad-hoc mtg-icecat-containerized  \
     #-- \
     #icecat --display=:0.0 "$@" \
#  || zenity --error \
#            --title 'Error starting container' \
#            --text 'Icecat failed to start in a container'
#
#+END_SRC

The comments above are so that I enter a shell to manually set
XDG_DATA_DIRS---I haven't yet researched the best way to handle that;
I'm a packaging noob. :)  If someone wouldn't mind enlightening me...

The creation of the temporary directory prevents exposing the CWD.  That
can go away once I can actually get around to addressing Ludo's concerns
for my --no-cwd patch... (which was actually just brought up in #guix on
Freenode).

Here's my package definition for mtg-icecat-containerized:

#+BEGIN_SRC scheme
(define-module (mtg personal)
  #:use-module ((guix licenses) #:prefix license:)
  #:use-module (guix packages)
  #:use-module (gnu packages)
  #:use-module (guix build-system trivial)
  #:use-module (gnu packages gnome)
  #:use-module (gnu packages gnuzilla)
  #:use-module (gnu packages fonts)
  #:use-module (gnu packages fontutils)
  #:use-module (gnu packages pulseaudio))


(define-public mtg-icecat-containerized
  (package
    (name "mtg-icecat-containerized")
    (version "1.0")
    (home-page "https://mikegerwitz.com/";)
    (build-system trivial-build-system)
    (source #f)
    (native-inputs
     `(("fontconfig" ,fontconfig)))
    (arguments
     `(#:modules ((guix build utils))
       #:builder
       (begin
         (use-modules (guix build utils))
         (let* ((share-dir (string-append %output "/share"))
                (cache-dir (string-append %output "/var/cache"))
                (bin-dir   (string-append %output "/bin"))
                (fc-dir    (string-append share-dir "/fontconfig/conf.avail"))
                (fc-mtg    (string-append fc-dir "/52-mtg-container.conf"))
                (fc-cache-dir (string-append cache-dir "/fontconfig"))
                (fonts-dir (string-append share-dir "/fonts")))
           ;; container script to invoke IceCat
           (mkdir-p bin-dir)
           (call-with-output-file (string-append bin-dir "/icecat-container")
             (lambda (port)
               (format port "#!/bin/bash")))

           ;; fontconfig configuration
           (mkdir-p fc-dir)
           (call-with-output-file fc-mtg
             (lambda (port)
               (format port (string-append "<?xml version=\"1.0\"?>
<!DOCTYPE fontconfig SYSTEM \"fonts.dtd\">
<fontconfig>
  <dir>" (string-append (assoc-ref %build-inputs "font-dejavu")
                        "/share/fonts") "</dir>"
  ;;<dir>" (string-append (assoc-ref %build-inputs "font-adobe-source-han-sans")
  ;;                      "/share/fonts") "</dir>
  "
  <cachedir>" fc-cache-dir "</cachedir>
</fontconfig>\n"))))

           (setenv "PATH"
                   (string-append (assoc-ref %build-inputs "fontconfig")
                                  "/bin"))
           (setenv "FONTCONFIG_FILE" fc-mtg)
           (setenv "XDG_DATA_HOME" share-dir)

           (mkdir-p cache-dir)
           (invoke "fc-cache" "-fv")))))
    (propagated-inputs
     `(("icecat" ,icecat)
       ("zenity" ,zenity)
       ("font-dejavu" ,font-dejavu)
       ;;("pulseaudio" ,pulseaudio)
       ;;("font-adobe-source-han-sans", font-adobe-source-han-sans)
       ))
    (synopsis "GNU IceCat packaged for running within a container")
    (description
     "GNU IceCat packaged with various fonts (including multi-lingual).
Suitable for use within a container.")
    (license license:gpl3+)))
#+END_SRC

It might be in a mangled state, though, because I can't remember where I
left off with it.  I think `font-adobe-source-han-sans' is only
commented out because there weren't substitutes and building it takes
forever and is massive.  `pulseaudio' was me starting to try to play
around with audio, but I made no progress and spent very little time.

Hopefully that's a good starting point for others, and again, please
check out Ludo's script that I haven't had a chance to.  My personal
ideal, which I think Ludo shares, is to be able to containerize any
program with sane defaults without having to write package definitions
like the one above, so he's headed in the right direction.

-- 
Mike Gerwitz

signature.asc
Description: PGP signature