Just a thought: Security, workspaces and isolated/restricted processes
pliniusminor at gmail.com
Sat Apr 16 18:17:00 CEST 2016
This is a how-to that I've written for running Firefox (or any other web
browser) in a sandbox with Firejail:
It's very easy to do, and a valuable increase of security. :-)
2016-04-16 9:25 GMT+02:00 Steve Dodier-Lazaro <sidnioulz at gmail.com>:
> Hi Manfred,
> I am working on an implementation of sandboxed workspaces for Xfce for a
> study, based on Firejail, I'm running and it's somewhat functional. I am
> not sharing it yet because I intend to recruit people here and elsewhere to
> test it (in a scientific study setting), so I need people not to play with
> it beforehand.
> Now there are a couple of reasons why this code is very unlikely to ever
> be released as an official Xfce product:
> 1. it requires changes to about 20 different Xfce / GNOME apps (and in
> particular complexifies xfwm4 code a lot which is a big no-no)
> 2. it requires in-depth changes to Firejail, making my Firejail and
> the official one relatively different products, meaning I'd have to
> maintain a fork
> 3. it requires GLib API changes (oops! yes this is more or less
> 4. it only works for Linux! There is no way on earth me or other devs
> here or in the Linux sandboxing community bring sandboxing to the BSDs.
> 5. the code, ugh, it's so ugly. When you write for academia you're
> concerned about speed, and there are some bits that I just don't want
> people to run without me on their back watching out for crashes.
> 6. I'm late on my PhD. I provide the code to my participants for
> research, primarily. I don't have time to release and maintain stuff (but
> it'll be fully available once the research is published at least :-) )
> On 15 April 2016 at 22:11, <webman at manfbraun.de> wrote:
>> Hi !
>> I'll just repeat my forum entry here - just do not know, if some DEVs read
>> them ;-)
>> I just try to find a way, where I can run a webbrowser in a more isolated
>> This ends most of the time in running it inside a LXC container or such.
>> Also this is really a bit complex, there is probably a easier way using
>> which is about limiting resources, like networks/filesystems etc. pp.
>> Per process routing2:
>> Using linux namespaces for processes and networking:
>> If one can put processes into a cgroup, one can give them a custom routing
>> oder even
>> ip-address, which is much easier to filter, ether locally (with iptables)
>> at the firewall.
>> So a very wonderful hit could be, to start all processes inside a given
>> inside a separate cgroup. For this case, a colored border of such a
>> workspace could give
>> a good extra hint to remember. But this could make the network manager
>> I am, sorry, not that type of linux insider, that I [currently ;-) ] could
>> do this by
>> myself. Just a thinking about the future of XFCE ... ;-)
>> Comments are welcome too!
>> Best regards,
>> Xfce4-dev mailing list
>> Xfce4-dev at xfce.org
> Steve Dodier-Lazaro
> PhD Student
> University College London
> Free Software Developer
> Xfce4-dev mailing list
> Xfce4-dev at xfce.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Xfce4-dev