Re: App image experiments

From: Alexander Larsson <alexl redhat com>
To: Stef Walter <stefw redhat com>
Cc: gnome-os-list gnome org
Subject: Re: App image experiments
Date: Mon, 25 Feb 2013 19:57:07 +0100

On mån, 2013-02-25 at 18:07 +0100, Stef Walter wrote:

 sh-4.2$ nautilus
 (nautilus:15428): GLib-WARNING **: getpwuid_r(): failed due to unknown
user id (1000)


We could solve this with a custom nsswitch.conf module that calls out of
the sandbox or does something useful here. The real question is if we
want name-spaced uids and gids in a sandbox or not. We may also want to
restrict enumerating other users and groups by code inside a sandbox.


Yes, thats obviously the solution for this particular issue in a
carefully composed base. Its not a custom one though, just one
configured to only use nscd via a socket we mount into the root.

There will be a whole lot of similar issues we need to solve to, like
resolv.conf, etc.

As for the level of sandboxing, i think this will be different on a
per-app basis. Some things want the full sandbox where you can't access
the homedir and *everything* goes via kdbus portals, and some things are
"just" the app image /usr isolation to make things portable and
isolated. (i.e. for apps that are not ported to a sandbox model).

References:
- App image experiments
  - From: Alexander Larsson
- Re: App image experiments
  - From: Stef Walter

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]