<div dir="ltr"><div><div><div>Hi Manfred,<br><br></div>I am working on an implementation of sandboxed workspaces for Xfce for a study, based on Firejail, I'm running and it's somewhat functional. I am not sharing it yet because I intend to recruit people here and elsewhere to test it (in a scientific study setting), so I need people not to play with it beforehand.<br><br></div>Now there are a couple of reasons why this code is very unlikely to ever be released as an official Xfce product:<br></div><br><ol><li>it requires changes to about 20 different Xfce / GNOME apps (and in particular complexifies xfwm4 code a lot which is a big no-no)<br></li><li>it requires in-depth changes to Firejail, making my Firejail and the official one relatively different products, meaning I'd have to maintain a fork</li><li>it requires GLib API changes (oops! yes this is more or less mandatory)</li><li>it only works for Linux! There is no way on earth me or other devs here or in the Linux sandboxing community bring sandboxing to the BSDs.</li><li>the code, ugh, it's so ugly. When you write for academia you're concerned about speed, and there are some bits that I just don't want people to run without me on their back watching out for crashes.</li><li>I'm late on my PhD. I provide the code to my participants for research, primarily. I don't have time to release and maintain stuff (but it'll be fully available once the research is published at least :-) )</li></ol><p>Best,<br></p><p><br></p></div><div class="gmail_extra"><br><div class="gmail_quote">On 15 April 2016 at 22:11, <span dir="ltr"><<a href="mailto:webman@manfbraun.de" target="_blank">webman@manfbraun.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi !<br>
<br>
I'll just repeat my forum entry here - just do not know, if some DEVs read<br>
them ;-)<br>
<br>
<br>
I just try to find a way, where I can run a webbrowser in a more isolated<br>
environment.<br>
This ends most of the time in running it inside a LXC container or such.<br>
<br>
Also this is really a bit complex, there is probably a easier way using<br>
'cgroups'<br>
which is about limiting resources, like networks/filesystems etc. pp.<br>
Example:<br>
<br>
Per process routing2:<br>
<a href="http://www.evolware.org/?p=369" rel="noreferrer" target="_blank">http://www.evolware.org/?p=369</a><br>
<br>
Using linux namespaces for processes and networking:<br>
<a href="http://www.evolware.org/?p=369" rel="noreferrer" target="_blank">http://www.evolware.org/?p=369</a><br>
<br>
If one can put processes into a cgroup, one can give them a custom routing<br>
oder even<br>
ip-address, which is much easier to filter, ether locally (with iptables) or<br>
at the firewall.<br>
<br>
So a very wonderful hit could be, to start all processes inside a given XFCE<br>
workspace<br>
inside a separate cgroup. For this case, a colored border of such a<br>
workspace could give<br>
a good extra hint to remember. But this could make the network manager<br>
complex.<br>
<br>
I am, sorry, not that type of linux insider, that I [currently ;-) ] could<br>
do this by<br>
myself. Just a thinking about the future of XFCE ... ;-)<br>
<br>
Comments are welcome too!<br>
<br>
Best regards,<br>
Manfred<br>
<br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
Xfce4-dev mailing list<br>
<a href="mailto:Xfce4-dev@xfce.org">Xfce4-dev@xfce.org</a><br>
<a href="https://mail.xfce.org/mailman/listinfo/xfce4-dev" rel="noreferrer" target="_blank">https://mail.xfce.org/mailman/listinfo/xfce4-dev</a></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div>Steve Dodier-Lazaro<br>PhD Student<br>University College London<br>Free Software Developer<br></div></div></div>
</div>