Nix: Limit permissions of packages

Created on 20 Mar 2018  路  7Comments  路  Source: NixOS/nix

Hi,

nix based on namepsace/container technologies of Linux. Same as docker which makes containers completely separated namespaces...

So can we add permissions to nix packages? For example limit some app to access to network? Or limit apps to call some system calls? Is that possible?

And I'm curious about this: if nix works with namepsace/container technology, how nix works on mac? Mac does not support native containerizing technologies (i know it from docker). and how ix works than?

Thanks in advance

feature
Source
picture TerkiKerel

Most helpful comment

@jackTaw88 just FYI in future, @edolstra created Nix 馃槃

picture copumpkin on 12 Feb 2019
😄2 👀1

All 7 comments

Yeah, I've been thinking about something like this. It could be done by having the user environment builder emit wrappers that execute programs in a sandbox (maybe based on nix run), with permissions defined by the Nix expressions and modifiable by the user.

macOS has a sandbox so at least certain types of restrictions could be implemented on both Linux and macOS.

edolstra picture edolstra on 20 Mar 2018

I haven't tried it but you should be able to use "firejail" on top of Nixpkgs.

matthewbauer picture matthewbauer on 20 Mar 2018

I did not read anywhere that Nix use namespace technologies. @edolstra Are you sure about that? I am not expert user but in which case it use? I mean I can use any nix package fully integrated with my desktop/OS environment. It is different than docker. Nix is package manager not containerizing platform.

jackTaw88 picture jackTaw88 on 10 Feb 2019

Yes, Nix uses mount/user/PID/network namespaces for sandboxing during builds. Also, nix run --store ... uses namespaces to allow unprivileged users to bind-mount a store in an arbitrary location onto /nix/store.

I think in many cases full containers are a rather heavy-handed approach to work around limitations in package/configuration managers (e.g. an inability to handle different versions of packages). Rather than run a program/service in its own filesystem tree, with Nix, you could have more finegrained isolation.

edolstra picture edolstra on 11 Feb 2019
👍2

@matthewbauer I try it. firejail works with nix packages. Thank you.

@edolstra thank you. I did not know that.

Note: firejail did not worked with snap packages: https://github.com/netblue30/firejail/issues/2397 They say because snap already use namespace technologies. That was the reasons I was thinking that nix does not use namespaces...

jackTaw88 picture jackTaw88 on 11 Feb 2019

@jackTaw88 just FYI in future, @edolstra created Nix 馃槃

copumpkin picture copumpkin on 12 Feb 2019
😄2 👀1

It really depends what you want. I can imagine use cases closer to security than what nix normally does, e.g. like for Android apps. On the whole it feels more like it should be done in a different project and later we could perhaps have "bindings" in nixpkgs/nixos that simplify the usage, e.g. create wrapper functions that restrict SW "permissions".

vcunat picture vcunat on 13 Feb 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

dasJ picture dasJ  路  3Comments
ihsanturk picture ihsanturk  路  3Comments
bryanhuntesl picture bryanhuntesl  路  3Comments
chexxor picture chexxor  路  4Comments
drewm1980 picture drewm1980  路  3Comments