Just a thought: Security, workspaces and isolated/restricted processes

Steve Dodier-Lazaro sidnioulz at gmail.com
Thu Apr 21 15:34:44 CEST 2016


Webman,

I'm a bit confused as to how cgroups can be used to achieve network QoS or
isolation? As far as I remember it is network namespaces which provide that
(and I use those to limit bandwidth for sandboxed workspaces and sandboxed
apps in my code). I know cgroups have a nice interface for limiting CPU
usage, do they also have one for filesystem throughput and network
interface bandwidth?

Best,

On 21 April 2016 at 13:40, <webman at manfbraun.de> wrote:

> Hi Pjotr!
>
> Thank you for the pointer.
> This is something I have seen some time ago - it was one of the
> sources, which drove to think about haveing something like
> this in a workspace.
>
> Though 'cgroup's will offer more features like priority or
> otherweise isolated network, for a full VM, for example.
>
> I'll probably take your route on my next workstation ante
> portas - which is to remove Windows and it is nearly here ;-)
>
> Best regards,
> Manfred
>
>
> From: Xfce4-dev [mailto:xfce4-dev-bounces at xfce.org] On Behalf Of PK
> Sent: Saturday, April 16, 2016 6:17 PM
> To: Xfce development list
> Subject: Re: Just a thought: Security, workspaces and isolated/restricted
> processes
>
> This is a how-to that I've written for running Firefox (or any other web
> browser) in a sandbox with Firejail:
> https://sites.google.com/site/easylinuxtipsproject/sandbox
> It's very easy to do, and a valuable increase of security.  :-)
> Regards, Pjotr.
>
> 2016-04-16 9:25 GMT+02:00 Steve Dodier-Lazaro <sidnioulz at gmail.com>:
> Hi Manfred,
> I am working on an implementation of sandboxed workspaces for Xfce for a
> study, based on Firejail, I'm running and it's somewhat functional. I am
> not sharing it yet because I intend to recruit people here and elsewhere to
> test it (in a scientific study setting), so I need people not to play with
> it beforehand.
> Now there are a couple of reasons why this code is very unlikely to ever
> be released as an official Xfce product:
>
> 1. it requires changes to about 20 different Xfce / GNOME apps (and in
> particular complexifies xfwm4 code a lot which is a big no-no)
> 2. it requires in-depth changes to Firejail, making my Firejail and the
> official one relatively different products, meaning I'd have to maintain a
> fork
> 3. it requires GLib API changes (oops! yes this is more or less mandatory)
> 4. it only works for Linux! There is no way on earth me or other devs here
> or in the Linux sandboxing community bring sandboxing to the BSDs.
> 5. the code, ugh, it's so ugly. When you write for academia you're
> concerned about speed, and there are some bits that I just don't want
> people to run without me on their back watching out for crashes.
> 6. I'm late on my PhD. I provide the code to my participants for research,
> primarily. I don't have time to release and maintain stuff (but it'll be
> fully available once the research is published at least :-) )
> Best,
>
>
> On 15 April 2016 at 22:11, <webman at manfbraun.de> wrote:
> Hi !
>
> I'll just repeat my forum entry here - just do not know, if some DEVs read
> them ;-)
>
>
> I just try to find a way, where I can run a webbrowser in a more isolated
> environment.
> This ends most of the time in running it inside a LXC container or such.
>
> Also this is really a bit complex, there is probably a easier way using
> 'cgroups'
> which is about limiting resources, like networks/filesystems etc. pp.
> Example:
>
> Per process routing2:
> http://www.evolware.org/?p=369
>
> Using linux namespaces for processes and networking:
> http://www.evolware.org/?p=369
>
> If one can put processes into a cgroup, one can give them a custom routing
> oder even
> ip-address, which is much easier to filter, ether locally (with iptables)
> or
> at the firewall.
>
> So a very wonderful hit could be, to start all processes inside a given
> XFCE
> workspace
> inside a separate cgroup. For this case, a colored border of such a
> workspace could give
> a good extra hint to remember. But this could make the network manager
> complex.
>
> I am, sorry, not that type of linux insider, that I [currently ;-) ] could
> do this by
> myself. Just a thinking about the future of XFCE ... ;-)
>
> Comments are welcome too!
>
> Best regards,
> Manfred
>
>
>
>
>
>
> _______________________________________________
> Xfce4-dev mailing list
> Xfce4-dev at xfce.org
> https://mail.xfce.org/mailman/listinfo/xfce4-dev
>
>
>
> --
> Steve Dodier-Lazaro
> PhD Student
> University College London
> Free Software Developer
>
> _______________________________________________
> Xfce4-dev mailing list
> Xfce4-dev at xfce.org
> https://mail.xfce.org/mailman/listinfo/xfce4-dev
>
>
>
> _______________________________________________
> Xfce4-dev mailing list
> Xfce4-dev at xfce.org
> https://mail.xfce.org/mailman/listinfo/xfce4-dev
>



-- 
Steve Dodier-Lazaro
PhD Student
University College London
Free Software Developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.xfce.org/pipermail/xfce4-dev/attachments/20160421/7204d5e3/attachment.html>


More information about the Xfce4-dev mailing list