Just a thought: Security, workspaces and isolated/restricted processes
webman at manfbraun.de
webman at manfbraun.de
Fri Apr 15 23:11:14 CEST 2016
Hi !
I'll just repeat my forum entry here - just do not know, if some DEVs read
them ;-)
I just try to find a way, where I can run a webbrowser in a more isolated
environment.
This ends most of the time in running it inside a LXC container or such.
Also this is really a bit complex, there is probably a easier way using
'cgroups'
which is about limiting resources, like networks/filesystems etc. pp.
Example:
Per process routing2:
http://www.evolware.org/?p=369
Using linux namespaces for processes and networking:
http://www.evolware.org/?p=369
If one can put processes into a cgroup, one can give them a custom routing
oder even
ip-address, which is much easier to filter, ether locally (with iptables) or
at the firewall.
So a very wonderful hit could be, to start all processes inside a given XFCE
workspace
inside a separate cgroup. For this case, a colored border of such a
workspace could give
a good extra hint to remember. But this could make the network manager
complex.
I am, sorry, not that type of linux insider, that I [currently ;-) ] could
do this by
myself. Just a thinking about the future of XFCE ... ;-)
Comments are welcome too!
Best regards,
Manfred
More information about the Xfce4-dev
mailing list