Just a thought: Security, workspaces and isolated/restricted processes

webman at manfbraun.de webman at manfbraun.de
Thu Apr 21 16:06:04 CEST 2016


Hi !

I've not dives yet that deep into this theme - just reading.
And it looks not too easy to find examples ...
But a quick cross-look into the wikipedia gives this:

>
cgroups (abbreviated from control groups) is a Linux kernel feature
that limits, accounts for, and isolates the resource usage (CPU, memory,
disk I/O, network, etc.) of a collection of processes.
<

See here: https://en.wikipedia.org/wiki/Cgroups 

This tells similar things like the references, I gave in my 
initial post.

Best regards,
Manfred


From: Xfce4-dev [mailto:xfce4-dev-bounces at xfce.org] On Behalf Of Steve Dodier-Lazaro
Sent: Thursday, April 21, 2016 3:35 PM
To: Xfce development list
Subject: Re: Just a thought: Security, workspaces and isolated/restricted processes

Webman,
I'm a bit confused as to how cgroups can be used to achieve network QoS or isolation? As far as I remember it is network namespaces which provide that (and I use those to limit bandwidth for sandboxed workspaces and sandboxed apps in my code). I know cgroups have a nice interface for limiting CPU usage, do they also have one for filesystem throughput and network interface bandwidth?
Best,

On 21 April 2016 at 13:40, <webman at manfbraun.de> wrote:
Hi Pjotr!

Thank you for the pointer.
This is something I have seen some time ago - it was one of the
sources, which drove to think about haveing something like
this in a workspace.

Though 'cgroup's will offer more features like priority or
otherweise isolated network, for a full VM, for example.

I'll probably take your route on my next workstation ante
portas - which is to remove Windows and it is nearly here ;-)

Best regards,
Manfred


From: Xfce4-dev [mailto:xfce4-dev-bounces at xfce.org] On Behalf Of PK
Sent: Saturday, April 16, 2016 6:17 PM
To: Xfce development list
Subject: Re: Just a thought: Security, workspaces and isolated/restricted processes

This is a how-to that I've written for running Firefox (or any other web browser) in a sandbox with Firejail:
https://sites.google.com/site/easylinuxtipsproject/sandbox
It's very easy to do, and a valuable increase of security.  :-)
Regards, Pjotr.

2016-04-16 9:25 GMT+02:00 Steve Dodier-Lazaro <sidnioulz at gmail.com>:
Hi Manfred,
I am working on an implementation of sandboxed workspaces for Xfce for a study, based on Firejail, I'm running and it's somewhat functional. I am not sharing it yet because I intend to recruit people here and elsewhere to test it (in a scientific study setting), so I need people not to play with it beforehand.
Now there are a couple of reasons why this code is very unlikely to ever be released as an official Xfce product:

1. it requires changes to about 20 different Xfce / GNOME apps (and in particular complexifies xfwm4 code a lot which is a big no-no)
2. it requires in-depth changes to Firejail, making my Firejail and the official one relatively different products, meaning I'd have to maintain a fork
3. it requires GLib API changes (oops! yes this is more or less mandatory)
4. it only works for Linux! There is no way on earth me or other devs here or in the Linux sandboxing community bring sandboxing to the BSDs.
5. the code, ugh, it's so ugly. When you write for academia you're concerned about speed, and there are some bits that I just don't want people to run without me on their back watching out for crashes.
6. I'm late on my PhD. I provide the code to my participants for research, primarily. I don't have time to release and maintain stuff (but it'll be fully available once the research is published at least :-) )
Best,


On 15 April 2016 at 22:11, <webman at manfbraun.de> wrote:
Hi !

I'll just repeat my forum entry here - just do not know, if some DEVs read
them ;-)


I just try to find a way, where I can run a webbrowser in a more isolated
environment.
This ends most of the time in running it inside a LXC container or such.

Also this is really a bit complex, there is probably a easier way using
'cgroups'
which is about limiting resources, like networks/filesystems etc. pp.
Example:

Per process routing2:
http://www.evolware.org/?p=369

Using linux namespaces for processes and networking:
http://www.evolware.org/?p=369

If one can put processes into a cgroup, one can give them a custom routing
oder even
ip-address, which is much easier to filter, ether locally (with iptables) or
at the firewall.

So a very wonderful hit could be, to start all processes inside a given XFCE
workspace
inside a separate cgroup. For this case, a colored border of such a
workspace could give
a good extra hint to remember. But this could make the network manager
complex.

I am, sorry, not that type of linux insider, that I [currently ;-) ] could
do this by
myself. Just a thinking about the future of XFCE ... ;-)

Comments are welcome too!

Best regards,
Manfred






_______________________________________________
Xfce4-dev mailing list
Xfce4-dev at xfce.org
https://mail.xfce.org/mailman/listinfo/xfce4-dev



--
Steve Dodier-Lazaro
PhD Student
University College London
Free Software Developer

_______________________________________________
Xfce4-dev mailing list
Xfce4-dev at xfce.org
https://mail.xfce.org/mailman/listinfo/xfce4-dev



_______________________________________________
Xfce4-dev mailing list
Xfce4-dev at xfce.org
https://mail.xfce.org/mailman/listinfo/xfce4-dev



-- 
Steve Dodier-Lazaro
PhD Student
University College London
Free Software Developer




More information about the Xfce4-dev mailing list