<MichaelRaskin>
Days of work instead of all that effort
<MichaelRaskin>
And if you sandbox browsers and restrict how much is allowed into a single instance, you care much less about their sandboxing
<MichaelRaskin>
D-Bus is fine, as long as it is D-Bus that is itself living inside the same jail, no?
<aaronjanse>
Oh I think the issue was applications using dbus yo launch stuff outside their own jail
<aaronjanse>
s/yo/to
<aaronjanse>
But I assume that could be figured out
<MichaelRaskin>
My solution: not having D-Bus sessions outside jails
<aaronjanse>
Hmm. Yeah maybe jails would work
<aaronjanse>
I assume it'd use bindmounts for /nix/store like what currently happens during builds, so containers would only see the packages they need
<MichaelRaskin>
you: maybe jails would work. me: yeah, there are so many annoyances I avoid using my far-from-actually-secure jail setup
<MichaelRaskin>
I don't actually think minimising store access is worth it
<MichaelRaskin>
Maybe dropping the idea that store is a+rx could be reasonable (but Nix somewhat dislikes this idea…)
<MichaelRaskin>
But if the availability of the store can be abused, either the attacker already has a full ACE and… store is not the most useful tool for attacking the jail, or it is something interesting and targeted, but then I can just give up
<aaronjanse>
MichaelRaskin is your jails config public?
<MichaelRaskin>
Yes. It is written in Common Lisp, though
<aaronjanse>
That's fine
<MichaelRaskin>
And I have only tried running the supporting daemon (which needs root and does all the work) under sinit