GNU bug report logs - #42996
icecat can escape from `guix environment --container`

Previous Next

Package: guix;

Reported by: luhux <luhux <at> outlook.com>

Date: Sun, 23 Aug 2020 14:49:01 UTC

Severity: normal

Done: Julien Lepiller <julien <at> lepiller.eu>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 42996 in the body.
You can then email your comments to 42996 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-guix <at> gnu.org:
bug#42996; Package guix. (Sun, 23 Aug 2020 14:49:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to luhux <luhux <at> outlook.com>:
New bug report received and forwarded. Copy sent to bug-guix <at> gnu.org. (Sun, 23 Aug 2020 14:49:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: luhux <luhux <at> outlook.com>
To: bug-guix <at> gnu.org
Subject: icecat can escape from `guix environment --container`
Date: Sun, 23 Aug 2020 18:18:49 +0800

I am using guix environment --container to isolate some programs that are prone to leak information. guix environment --container works well in freerdp and other programs until I use guix environment --container to containerize icecat,

Steps to reproduce:

guix environmnt --container (...some options...) --ad-hoc icecat

Select the address bar and write:'file://' and then access, icecat can still access the content outside the container.

Please forgive me for some inappropriate words. My English is not very good.

luhux
Information forwarded to bug-guix <at> gnu.org:
bug#42996; Package guix. (Sun, 23 Aug 2020 15:40:01 GMT) Full text and rfc822 format available.

Message #8 received at 42996 <at> debbugs.gnu.org (full text, mbox):

From: Julien Lepiller <julien <at> lepiller.eu>
To: luhux <luhux <at> outlook.com>,42996 <at> debbugs.gnu.org
Subject: Re: bug#42996: icecat can escape from `guix environment --container`
Date: Sun, 23 Aug 2020 11:38:47 -0400

[Message part 1 (text/plain, inline)]
One possibility is that you're seeing the virtual root filesystem, that thwuld only have a few direccories and the structure up to the directory you created your container in. Are you sure you can access files outside of the directory you started icecat in?

Another possiblity is that you had a running icecat outside of the container. In that case, calling icecat from tge container only opens a new window in the un-containerized icecat. Could it be what's happening?

Le 23 août 2020 06:18:49 GMT-04:00, luhux <luhux <at> outlook.com> a écrit :
>I am using guix environment --container to isolate some programs that
>are prone to leak information. guix environment --container works well
>in freerdp and other programs until I use guix environment --container
>to containerize icecat,
>
>Steps to reproduce:
>
>guix environmnt --container (...some options...) --ad-hoc icecat
>
>Select the address bar and write:'file://' and then access, icecat can
>still access the content outside the container.
>
>Please forgive me for some inappropriate words. My English is not very
>good.
>
>luhux

[Message part 2 (text/html, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#42996; Package guix. (Sun, 23 Aug 2020 16:46:01 GMT) Full text and rfc822 format available.

Message #11 received at 42996 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: luhux <luhux <at> outlook.com>
Cc: 42996 <at> debbugs.gnu.org
Subject: Re: bug#42996: icecat can escape from `guix environment --container`
Date: Sun, 23 Aug 2020 12:45:33 -0400

[Message part 1 (text/plain, inline)]
On Sun, Aug 23, 2020 at 06:18:49PM +0800, luhux wrote:
> I am using guix environment --container to isolate some programs that
> are prone to leak information. guix environment --container works well
> in freerdp and other programs until I use guix environment --container
> to containerize icecat,

More comprehensive reproduction:

$ guix environment --container --share=/tmp/.X11-unix --ad-hoc icecat
[env]$ export DISPLAY=":0.0"
[env]$ icecat

The browser has no fonts but, with careful typing, I was able to open a
text file in my home directory.

[signature.asc (application/pgp-signature, inline)]
Information forwarded to bug-guix <at> gnu.org:
bug#42996; Package guix. (Sun, 23 Aug 2020 16:56:02 GMT) Full text and rfc822 format available.

Message #14 received at 42996 <at> debbugs.gnu.org (full text, mbox):

From: Leo Famulari <leo <at> famulari.name>
To: luhux <luhux <at> outlook.com>
Cc: 42996 <at> debbugs.gnu.org
Subject: Re: bug#42996: icecat can escape from `guix environment --container`
Date: Sun, 23 Aug 2020 12:55:05 -0400

[Message part 1 (text/plain, inline)]
I believe that this is expected given the specification of `guix
environment`, which is its chapter in the manual. [0]

It says, "For containers, the default behavior is to share the current
working directory with the isolated container and immediately change to
that directory within the container. If this is undesirable, --no-cwd
will cause the current working directory to not be automatically shared
and will change to the user’s home directory within the container
instead."

For this command, the word "share" means that the shared directories
will be read-write.

Did you use the --no-cwd option? If not, were you able to access any
files outside of the current working directory of the `guix environment
...` command invocation?

[0] https://guix.gnu.org/manual/en/html_node/Invoking-guix-environment.html#Invoking-guix-environment

[signature.asc (application/pgp-signature, inline)]
Reply sent to Julien Lepiller <julien <at> lepiller.eu>:
You have taken responsibility. (Mon, 24 Aug 2020 11:18:02 GMT) Full text and rfc822 format available.
Notification sent to luhux <luhux <at> outlook.com>:
bug acknowledged by developer. (Mon, 24 Aug 2020 11:18:02 GMT) Full text and rfc822 format available.

Message #19 received at 42996-close <at> debbugs.gnu.org (full text, mbox):

From: Julien Lepiller <julien <at> lepiller.eu>
To: luhux <luhux <at> outlook.com>,42996-close <at> debbugs.gnu.org
Subject: Re: bug#42996: icecat can escape from `guix environment --container`
Date: Mon, 24 Aug 2020 07:17:02 -0400

[Message part 1 (text/plain, inline)]
Then, closing. Thank you :)

Le 23 août 2020 21:15:55 GMT-04:00, luhux <luhux <at> outlook.com> a écrit :
>On Sun, Aug 23, 2020 at 11:38:47AM -0400, Julien Lepiller wrote:
>> One possibility is that you're seeing the virtual root filesystem,
>that thwuld only have a few direccories and the structure up to the
>directory you created your container in. Are you sure you can access
>files outside of the directory you started icecat in?
>> 
>> Another possiblity is that you had a running icecat outside of the
>container. In that case, calling icecat from tge container only opens a
>new window in the un-containerized icecat. Could it be what's
>happening?
>> 
>
>It is my fault.
>
>The icecat in the container is connected to the icecat outside the
>container, and then a new window is opened using the icecat outside the
>container
>
>Close the icecat outside the container, and then open the icecat inside
>the container, everything is correct.
>
>The problem is solved, thank you very much.
>
>luhux

[Message part 2 (text/html, inline)]
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Mon, 21 Sep 2020 11:24:04 GMT) Full text and rfc822 format available.
This bug report was last modified 4 years and 309 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.