Re: [atomic-devel] docker-hica new version, now on pypi

[Colin Walters <walters verbum org>]

On Fri, Jan 15, 2016, at 06:50 AM, Pavel Odvody wrote:
> Hello,
> 
> there's a new release of HICA, system & API for wiring container
> applications back to host based on runtime label introspection.

This is a cool project, the concepts obviously parallel work done on modern
application sandboxing.  

However, I would try to separate desktop use cases more from server side
ones.

For example:

 - Bind mounts XSocket into the container

That's currently equivalent to complete control over the desktop.  It
always has been with X11.  Wayland fixes a lot of the holes, but
it's not on its own a complete solution.  The xdg-app people have
been spearheading a lot of things in this area.

There are some commonalities though with desktop use cases, like allowing
certain containers access to the GPU.

And there are more pure server use cases, like allowing a container
access to a portion of a raw block device.  (Think databases that want
to do O_DIRECT).

I personally don't think the "prompt the user with list of permissions beforehand"
model really works for mobile/desktop apps.  It's a fantastically hard problem,
but prompting on-demand seems to be more secure.  Anyways, I don't
see desktop containers as a focus of this project right now, though
I think a unified architecture is going to be important long term.

For server containers, I could certainly
see if we had a curated and documented whitelist, rather than prompting,
we have an admin edit a config file to enable permissions for things
like granting databases access to O_DIRECT on selected block devices?