Just a thought: Security, workspaces and isolated/restricted processes

webman at manfbraun.de webman at manfbraun.de
Thu Apr 21 14:40:38 CEST 2016

Hi Pjotr!

Thank you for the pointer.
This is something I have seen some time ago - it was one of the
sources, which drove to think about haveing something like
this in a workspace.

Though 'cgroup's will offer more features like priority or
otherweise isolated network, for a full VM, for example.

I'll probably take your route on my next workstation ante
portas - which is to remove Windows and it is nearly here ;-)

Best regards,

From: Xfce4-dev [mailto:xfce4-dev-bounces at xfce.org] On Behalf Of PK
Sent: Saturday, April 16, 2016 6:17 PM
To: Xfce development list
Subject: Re: Just a thought: Security, workspaces and isolated/restricted processes

This is a how-to that I've written for running Firefox (or any other web browser) in a sandbox with Firejail:
It's very easy to do, and a valuable increase of security.  :-)
Regards, Pjotr.

2016-04-16 9:25 GMT+02:00 Steve Dodier-Lazaro <sidnioulz at gmail.com>:
Hi Manfred,
I am working on an implementation of sandboxed workspaces for Xfce for a study, based on Firejail, I'm running and it's somewhat functional. I am not sharing it yet because I intend to recruit people here and elsewhere to test it (in a scientific study setting), so I need people not to play with it beforehand.
Now there are a couple of reasons why this code is very unlikely to ever be released as an official Xfce product:

1. it requires changes to about 20 different Xfce / GNOME apps (and in particular complexifies xfwm4 code a lot which is a big no-no)
2. it requires in-depth changes to Firejail, making my Firejail and the official one relatively different products, meaning I'd have to maintain a fork
3. it requires GLib API changes (oops! yes this is more or less mandatory)
4. it only works for Linux! There is no way on earth me or other devs here or in the Linux sandboxing community bring sandboxing to the BSDs.
5. the code, ugh, it's so ugly. When you write for academia you're concerned about speed, and there are some bits that I just don't want people to run without me on their back watching out for crashes.
6. I'm late on my PhD. I provide the code to my participants for research, primarily. I don't have time to release and maintain stuff (but it'll be fully available once the research is published at least :-) )

On 15 April 2016 at 22:11, <webman at manfbraun.de> wrote:
Hi !

I'll just repeat my forum entry here - just do not know, if some DEVs read
them ;-)

I just try to find a way, where I can run a webbrowser in a more isolated
This ends most of the time in running it inside a LXC container or such.

Also this is really a bit complex, there is probably a easier way using
which is about limiting resources, like networks/filesystems etc. pp.

Per process routing2:

Using linux namespaces for processes and networking:

If one can put processes into a cgroup, one can give them a custom routing
oder even
ip-address, which is much easier to filter, ether locally (with iptables) or
at the firewall.

So a very wonderful hit could be, to start all processes inside a given XFCE
inside a separate cgroup. For this case, a colored border of such a
workspace could give
a good extra hint to remember. But this could make the network manager

I am, sorry, not that type of linux insider, that I [currently ;-) ] could
do this by
myself. Just a thinking about the future of XFCE ... ;-)

Comments are welcome too!

Best regards,

Xfce4-dev mailing list
Xfce4-dev at xfce.org

Steve Dodier-Lazaro
PhD Student
University College London
Free Software Developer

Xfce4-dev mailing list
Xfce4-dev at xfce.org

More information about the Xfce4-dev mailing list