Hacker News new | ask | show | jobs
by rnhmjoj 317 days ago
Does GNU Shepherd support some form of sanboxing?

systemd has many options to reduce the privileges of a service: like running as a normal user with only certain POSIX capabilities, setting up a mount namespace with a limited view of the root filesystem, locking down which system calls can be invoked, etc.
2 comments
foretoldfeline 317 days ago
GNU Shepherd itself doesn't implement sandboxing, but you can use the least-authority-wrapper to do namespaces. There are other tools to do more comphrensive sandboxing, which Shepherd can use, e.g. nsjail.

least-authority-wrapper: https://codeberg.org/guix/guix/src/commit/e3fbaeee1386fd447f...

link
lynx97 317 days ago
Uoh, nsjail ha? The namespace for project names seems exhausted. No germans on the dev team, ey?
link
foretoldfeline 316 days ago
https://github.com/google/nsjail
link
kwk1 316 days ago
What is the problematic connotation for 'nsjail' in German?
link
1oooqooq 315 days ago
refer to a kind of jail by a political party that killed a few million people around the 40s
link
lynx97 314 days ago
The Nazis party was called National Socialists... And they had a number of horrific jails.
link
davexunit 317 days ago
Shepherd doesn't include this as it is quite lean and extensible (service start/stop hooks are functions that can do anything) but Guix includes a Linux container implementation and an abstraction built on top for use by services. The long term vision is to use an object capability security model so, rather than "locking down", a service can only interact with the resources to which it has been passed a reference. No ambient authority, no confused deputies.
link
jcgl 317 days ago
I really like systemd but am also Guix-curious. This sandboxing topic has been a bit of a blocker for me to properly go deeper with Guix. Do you know of any good places to read more about this vision? Sounds powerful and unique.
link
foretoldfeline 316 days ago
https://fosdem.org/2025/schedule/event/fosdem-2025-5315-shep...
link
davexunit 316 days ago
Just to be clear, sandboxing is possible with Guix, with least-authority-wrapper as a built-in option. Regarding the long term vision of capability security, you can read the Spritely (the nonprofit I work for) whitepaper about capabilities and the work we're doing in Guile to make it happen [0]. The paper isn't about Guix, but Guix stands to benefit from the effort. Getting to the point where Guix services are capability secure will take many steps, but one step is bringing capabilities to Shepherd, which we have made progress on through an NLnet grant [1].

[0] https://files.spritely.institute/papers/spritely-core.html

[1] https://nlnet.nl/project/DistributedShepherd/

link