Just a thought: Security, workspaces and isolated/restricted processes

webman at manfbraun.de webman at manfbraun.de
Fri Apr 15 23:11:14 CEST 2016

Hi !

I'll just repeat my forum entry here - just do not know, if some DEVs read
them ;-)

I just try to find a way, where I can run a webbrowser in a more isolated
This ends most of the time in running it inside a LXC container or such.

Also this is really a bit complex, there is probably a easier way using
which is about limiting resources, like networks/filesystems etc. pp.

Per process routing2:

Using linux namespaces for processes and networking:

If one can put processes into a cgroup, one can give them a custom routing
oder even
ip-address, which is much easier to filter, ether locally (with iptables) or
at the firewall.

So a very wonderful hit could be, to start all processes inside a given XFCE
inside a separate cgroup. For this case, a colored border of such a
workspace could give
a good extra hint to remember. But this could make the network manager

I am, sorry, not that type of linux insider, that I [currently ;-) ] could
do this by
myself. Just a thinking about the future of XFCE ... ;-)

Comments are welcome too!

Best regards,

More information about the Xfce4-dev mailing list