Just a thought: Security, workspaces and isolated/restricted processes
PK
pliniusminor at gmail.com
Sat Apr 16 18:17:00 CEST 2016
This is a how-to that I've written for running Firefox (or any other web
browser) in a sandbox with Firejail:
https://sites.google.com/site/easylinuxtipsproject/sandbox
It's very easy to do, and a valuable increase of security. :-)
Regards, Pjotr.
2016-04-16 9:25 GMT+02:00 Steve Dodier-Lazaro <sidnioulz at gmail.com>:
> Hi Manfred,
>
> I am working on an implementation of sandboxed workspaces for Xfce for a
> study, based on Firejail, I'm running and it's somewhat functional. I am
> not sharing it yet because I intend to recruit people here and elsewhere to
> test it (in a scientific study setting), so I need people not to play with
> it beforehand.
>
> Now there are a couple of reasons why this code is very unlikely to ever
> be released as an official Xfce product:
>
>
> 1. it requires changes to about 20 different Xfce / GNOME apps (and in
> particular complexifies xfwm4 code a lot which is a big no-no)
> 2. it requires in-depth changes to Firejail, making my Firejail and
> the official one relatively different products, meaning I'd have to
> maintain a fork
> 3. it requires GLib API changes (oops! yes this is more or less
> mandatory)
> 4. it only works for Linux! There is no way on earth me or other devs
> here or in the Linux sandboxing community bring sandboxing to the BSDs.
> 5. the code, ugh, it's so ugly. When you write for academia you're
> concerned about speed, and there are some bits that I just don't want
> people to run without me on their back watching out for crashes.
> 6. I'm late on my PhD. I provide the code to my participants for
> research, primarily. I don't have time to release and maintain stuff (but
> it'll be fully available once the research is published at least :-) )
>
> Best,
>
>
>
> On 15 April 2016 at 22:11, <webman at manfbraun.de> wrote:
>
>> Hi !
>>
>> I'll just repeat my forum entry here - just do not know, if some DEVs read
>> them ;-)
>>
>>
>> I just try to find a way, where I can run a webbrowser in a more isolated
>> environment.
>> This ends most of the time in running it inside a LXC container or such.
>>
>> Also this is really a bit complex, there is probably a easier way using
>> 'cgroups'
>> which is about limiting resources, like networks/filesystems etc. pp.
>> Example:
>>
>> Per process routing2:
>> http://www.evolware.org/?p=369
>>
>> Using linux namespaces for processes and networking:
>> http://www.evolware.org/?p=369
>>
>> If one can put processes into a cgroup, one can give them a custom routing
>> oder even
>> ip-address, which is much easier to filter, ether locally (with iptables)
>> or
>> at the firewall.
>>
>> So a very wonderful hit could be, to start all processes inside a given
>> XFCE
>> workspace
>> inside a separate cgroup. For this case, a colored border of such a
>> workspace could give
>> a good extra hint to remember. But this could make the network manager
>> complex.
>>
>> I am, sorry, not that type of linux insider, that I [currently ;-) ] could
>> do this by
>> myself. Just a thinking about the future of XFCE ... ;-)
>>
>> Comments are welcome too!
>>
>> Best regards,
>> Manfred
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Xfce4-dev mailing list
>> Xfce4-dev at xfce.org
>> https://mail.xfce.org/mailman/listinfo/xfce4-dev
>
>
>
>
> --
> Steve Dodier-Lazaro
> PhD Student
> University College London
> Free Software Developer
>
> _______________________________________________
> Xfce4-dev mailing list
> Xfce4-dev at xfce.org
> https://mail.xfce.org/mailman/listinfo/xfce4-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.xfce.org/pipermail/xfce4-dev/attachments/20160416/cbfd8385/attachment.html>
More information about the Xfce4-dev
mailing list