Just a thought: Security, workspaces and isolated/restricted processes

webman at manfbraun.de webman at manfbraun.de
Thu Apr 21 14:36:36 CEST 2016


Hi Steve !
 
Thank you very much for your explanation!
I have no insight into XFCE itself, but have'nt exptected, that it is that complicated.
Ok, was just to hear, waht other think - something for the (hopefully near) future ;-)
Good luck and success for your study !
 
Best,
Manfred
 
From: Xfce4-dev [mailto:xfce4-dev-bounces at xfce.org] On Behalf Of Steve Dodier-Lazaro
Sent: Saturday, April 16, 2016 9:26 AM
To: Xfce development list
Subject: Re: Just a thought: Security, workspaces and isolated/restricted processes
 
Hi Manfred,
I am working on an implementation of sandboxed workspaces for Xfce for a study, based on Firejail, I'm running and it's somewhat functional. I am not sharing it yet because I intend to recruit people here and elsewhere to test it (in a scientific study setting), so I need people not to play with it beforehand.
Now there are a couple of reasons why this code is very unlikely to ever be released as an official Xfce product:
 
1.	it requires changes to about 20 different Xfce / GNOME apps (and in particular complexifies xfwm4 code a lot which is a big no-no)
2.	it requires in-depth changes to Firejail, making my Firejail and the official one relatively different products, meaning I'd have to maintain a fork
3.	it requires GLib API changes (oops! yes this is more or less mandatory)
4.	it only works for Linux! There is no way on earth me or other devs here or in the Linux sandboxing community bring sandboxing to the BSDs.
5.	the code, ugh, it's so ugly. When you write for academia you're concerned about speed, and there are some bits that I just don't want people to run without me on their back watching out for crashes.
6.	I'm late on my PhD. I provide the code to my participants for research, primarily. I don't have time to release and maintain stuff (but it'll be fully available once the research is published at least :-) )
Best,
 
 
On 15 April 2016 at 22:11, <webman at manfbraun.de> wrote:
Hi !

I'll just repeat my forum entry here - just do not know, if some DEVs read
them ;-)


I just try to find a way, where I can run a webbrowser in a more isolated
environment.
This ends most of the time in running it inside a LXC container or such.

Also this is really a bit complex, there is probably a easier way using
'cgroups'
which is about limiting resources, like networks/filesystems etc. pp.
Example:

Per process routing2:
http://www.evolware.org/?p=369

Using linux namespaces for processes and networking:
http://www.evolware.org/?p=369

If one can put processes into a cgroup, one can give them a custom routing
oder even
ip-address, which is much easier to filter, ether locally (with iptables) or
at the firewall.

So a very wonderful hit could be, to start all processes inside a given XFCE
workspace
inside a separate cgroup. For this case, a colored border of such a
workspace could give
a good extra hint to remember. But this could make the network manager
complex.

I am, sorry, not that type of linux insider, that I [currently ;-) ] could
do this by
myself. Just a thinking about the future of XFCE ... ;-)

Comments are welcome too!

Best regards,
Manfred






_______________________________________________
Xfce4-dev mailing list
Xfce4-dev at xfce.org
https://mail.xfce.org/mailman/listinfo/xfce4-dev



-- 
Steve Dodier-Lazaro
PhD Student
University College London
Free Software Developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.xfce.org/pipermail/xfce4-dev/attachments/20160421/30d583e3/attachment-0001.html>


More information about the Xfce4-dev mailing list