Just a thought: Security, workspaces and isolated/restricted processes

Steve Dodier-Lazaro sidnioulz at gmail.com
Sat Apr 16 09:25:48 CEST 2016

Hi Manfred,

I am working on an implementation of sandboxed workspaces for Xfce for a
study, based on Firejail, I'm running and it's somewhat functional. I am
not sharing it yet because I intend to recruit people here and elsewhere to
test it (in a scientific study setting), so I need people not to play with
it beforehand.

Now there are a couple of reasons why this code is very unlikely to ever be
released as an official Xfce product:

   1. it requires changes to about 20 different Xfce / GNOME apps (and in
   particular complexifies xfwm4 code a lot which is a big no-no)
   2. it requires in-depth changes to Firejail, making my Firejail and the
   official one relatively different products, meaning I'd have to maintain a
   3. it requires GLib API changes (oops! yes this is more or less
   4. it only works for Linux! There is no way on earth me or other devs
   here or in the Linux sandboxing community bring sandboxing to the BSDs.
   5. the code, ugh, it's so ugly. When you write for academia you're
   concerned about speed, and there are some bits that I just don't want
   people to run without me on their back watching out for crashes.
   6. I'm late on my PhD. I provide the code to my participants for
   research, primarily. I don't have time to release and maintain stuff (but
   it'll be fully available once the research is published at least :-) )


On 15 April 2016 at 22:11, <webman at manfbraun.de> wrote:

> Hi !
> I'll just repeat my forum entry here - just do not know, if some DEVs read
> them ;-)
> I just try to find a way, where I can run a webbrowser in a more isolated
> environment.
> This ends most of the time in running it inside a LXC container or such.
> Also this is really a bit complex, there is probably a easier way using
> 'cgroups'
> which is about limiting resources, like networks/filesystems etc. pp.
> Example:
> Per process routing2:
> http://www.evolware.org/?p=369
> Using linux namespaces for processes and networking:
> http://www.evolware.org/?p=369
> If one can put processes into a cgroup, one can give them a custom routing
> oder even
> ip-address, which is much easier to filter, ether locally (with iptables)
> or
> at the firewall.
> So a very wonderful hit could be, to start all processes inside a given
> workspace
> inside a separate cgroup. For this case, a colored border of such a
> workspace could give
> a good extra hint to remember. But this could make the network manager
> complex.
> I am, sorry, not that type of linux insider, that I [currently ;-) ] could
> do this by
> myself. Just a thinking about the future of XFCE ... ;-)
> Comments are welcome too!
> Best regards,
> Manfred
> _______________________________________________
> Xfce4-dev mailing list
> Xfce4-dev at xfce.org
> https://mail.xfce.org/mailman/listinfo/xfce4-dev

Steve Dodier-Lazaro
PhD Student
University College London
Free Software Developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.xfce.org/pipermail/xfce4-dev/attachments/20160416/60651582/attachment.html>

More information about the Xfce4-dev mailing list