Just a thought: Security, workspaces and isolated/restricted processes

PK pliniusminor at gmail.com
Sat Apr 16 18:17:00 CEST 2016

This is a how-to that I've written for running Firefox (or any other web
browser) in a sandbox with Firejail:

It's very easy to do, and a valuable increase of security.  :-)

Regards, Pjotr.

2016-04-16 9:25 GMT+02:00 Steve Dodier-Lazaro <sidnioulz at gmail.com>:

> Hi Manfred,
> I am working on an implementation of sandboxed workspaces for Xfce for a
> study, based on Firejail, I'm running and it's somewhat functional. I am
> not sharing it yet because I intend to recruit people here and elsewhere to
> test it (in a scientific study setting), so I need people not to play with
> it beforehand.
> Now there are a couple of reasons why this code is very unlikely to ever
> be released as an official Xfce product:
>    1. it requires changes to about 20 different Xfce / GNOME apps (and in
>    particular complexifies xfwm4 code a lot which is a big no-no)
>    2. it requires in-depth changes to Firejail, making my Firejail and
>    the official one relatively different products, meaning I'd have to
>    maintain a fork
>    3. it requires GLib API changes (oops! yes this is more or less
>    mandatory)
>    4. it only works for Linux! There is no way on earth me or other devs
>    here or in the Linux sandboxing community bring sandboxing to the BSDs.
>    5. the code, ugh, it's so ugly. When you write for academia you're
>    concerned about speed, and there are some bits that I just don't want
>    people to run without me on their back watching out for crashes.
>    6. I'm late on my PhD. I provide the code to my participants for
>    research, primarily. I don't have time to release and maintain stuff (but
>    it'll be fully available once the research is published at least :-) )
> Best,
> On 15 April 2016 at 22:11, <webman at manfbraun.de> wrote:
>> Hi !
>> I'll just repeat my forum entry here - just do not know, if some DEVs read
>> them ;-)
>> I just try to find a way, where I can run a webbrowser in a more isolated
>> environment.
>> This ends most of the time in running it inside a LXC container or such.
>> Also this is really a bit complex, there is probably a easier way using
>> 'cgroups'
>> which is about limiting resources, like networks/filesystems etc. pp.
>> Example:
>> Per process routing2:
>> http://www.evolware.org/?p=369
>> Using linux namespaces for processes and networking:
>> http://www.evolware.org/?p=369
>> If one can put processes into a cgroup, one can give them a custom routing
>> oder even
>> ip-address, which is much easier to filter, ether locally (with iptables)
>> or
>> at the firewall.
>> So a very wonderful hit could be, to start all processes inside a given
>> workspace
>> inside a separate cgroup. For this case, a colored border of such a
>> workspace could give
>> a good extra hint to remember. But this could make the network manager
>> complex.
>> I am, sorry, not that type of linux insider, that I [currently ;-) ] could
>> do this by
>> myself. Just a thinking about the future of XFCE ... ;-)
>> Comments are welcome too!
>> Best regards,
>> Manfred
>> _______________________________________________
>> Xfce4-dev mailing list
>> Xfce4-dev at xfce.org
>> https://mail.xfce.org/mailman/listinfo/xfce4-dev
> --
> Steve Dodier-Lazaro
> PhD Student
> University College London
> Free Software Developer
> _______________________________________________
> Xfce4-dev mailing list
> Xfce4-dev at xfce.org
> https://mail.xfce.org/mailman/listinfo/xfce4-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.xfce.org/pipermail/xfce4-dev/attachments/20160416/cbfd8385/attachment.html>

More information about the Xfce4-dev mailing list