xSmurf
commented
8 years ago Referenced in https://github.com/subgraph/subgraph-os-issues/issues/38
Open xSmurf opened 8 years ago
xSmurf
commented
8 years ago Referenced in https://github.com/subgraph/subgraph-os-issues/issues/38
dma
commented
6 years ago Idea for an implementation that's very simple:
Oz profile gets two new fields:
derivative: [original program name] And maybe, optionally: derivative-exec-path: [path to program exec]
When oz-setup install runs, it identifies the profile as being derived from another. It then creates symlinks as such:
/usr/bin/derivative -> /usr/bin/oz
We could create another symlink in /usr/bin-oz, but that seems unnecessary and maybe even wrong to do as it has no meaning outside of an oz runtime. Oz doesn't need it as it knows the path of the original program, since the master profile from which one is derived is known.
This implementation will handle coming use cases:
{
"name":"hexchat-i2p"
,"path": "/usr/bin/hexchat-i2p"
,"derivative": "hexchat"
, "default_params": ["--no-plugins"]
, "xserver": {
"enabled": true
, "enable_tray": false
, "tray_icon": "/usr/share/icons/hicolor/scalable/apps/hexchat.svg"
, "enable_notifications": true
}
, "networking":{
"type":"empty"
, "sockets": [
{"type":"client", "proto":"tcp", "port":6668}
]
}
, "whitelist": [
{"path":"${HOME}/.config/hexchat-i2p","target":"${HOME}/.config/hexchat", "can_create":true}
, {"path":"/var/lib/oz/cells.d/hexchat.json", "read_only": true}
, {"path":"/var/lib/oz/cells.d/hexchat-whitelist.seccomp", "read_only": true}
]
, "blacklist": [
]
, "seccomp": {
"mode":"whitelist"
, "enforce": true
, "whitelist": "/var/lib/oz/cells.d/hexchat-whitelist.seccomp"
}
}
It would be good to support multiple instances for a profile with a prefix for the whitelisted data.
At the same time it would make it possible to implement disposable profiles (ie non persistent overlay).