suggestion: create a container solution already at the system package level. Each package would be installed in its own chroot, limited by mount nosuid, nodev, readonly, etc. If a package needs other packages, these would be mixed into its chroot using layering FS. For example, the nginx package would be mixed with pcre, zlib, openssl, geoip, mailcap and libxcrypt. It would work similar to Docker, but at the system level. Docker already works with entire system images. And one more thing: it might not be necessary to create a completely new distribution. For example, it would be enough to take a pacman from Arch Linux and modify it so that it does not unpack packages directly into the system, but takes care of the chroots. And - why? Normally, every program has access to the entire system, at least for reading. Firefox can at least read files in /, list what's in /home, read /etc/passwd. I would like to limit it to only one directory - Downloads. But I don't want to install Firefox using Flatpak or Snap. This way of isolation would be more system solution than a workaround (which Flatpak, from my point of view, is).

· · Web · 2 · 0 · 0
@mig I'm pretty sure you can do that with LXC. Also have you tried Nix?

@albi I just went through the Nix documentation, it seems that it does the job by unpacking whole programs into their own directories and making symlinks from there.. the advantage is that there are more software versions, each user can use a different one and it is possible to do a rollback.. however it does not solve the isolation of programs, due to which I would suggest someting like chroots over FS layering..
LXC is actually a chroot, in addition it isolates processes and networks -> maybe it could be used, but only some kernel calls, not the lxc daemon, which has a slightly different purpose. And still, rather than building a new distribution, I would like to stick with an existing one and all the packages available - just install them differently.

Did you try ?

Ubunto Core also seams to isolate everything althougt in snappy.
I don't like snappy, but it sounds close to what you are looking for.

Chcete-li se zúčastnit této konverzace, přihlaste se

Mastodon server