xpra icon
Bug tracker and wiki

Version 1 (modified by schnittchen, 4 years ago) (diff)

--

When Unix' security systems were invented, the most important concern was to separate users from each other. That made a lot of sense for the use case at that time (mainframes), but not so terribly much for the Linux desktop. Every application I start has accesss to everything my unix user has access to -- but why should my browser need access to my locally cached email? Given that in particular the web is a huge collection of technologies that can each have their own vulnerabilities, it would make sense to constrain web browsers to the resources they really need. Or think of Skype, do you trust its vendors to give them technically access to all your data?

A good solution to this would actually requiring fundamental changes to the way we build operating systems today (so don't expect this any time soon). Existing approaches like selinux or AppArmor? tend to focus on segregating system processes and not so much on a user's applications.

A new technology might unintendedly fill the gap: Docker (http://docker.io/) is a system for running separate virtual subsystems under the same linux kernel, and while intended for the cloud, it runs on many modern desktop linuxes as well. A docker container might run a firefox instance, completely or partially separated from the rest of the system (from the perspective of non-root users!). Xpra can be used to make the firefox instance's window(s) accessible to a user.

Resources

Notes

  • Be careful not to compromise your system security by enhancing an application's separation https://github.com/subuser-security/subuser/issues/131
  • Reportedly, Docker+Xpra can be made to work with local connections. By mounting a host's directory as the containers ~/.xpra directory, the connection socket file is exposed to the host. Symlinking from the host's ~/.xpra/HostsHostname-DisplayNumber? makes the clients session available transparently to the host.
  • Also, reportedly, this even works with a mmap file (dramatically improving performance). The Xpra protocol dictates that the mmap file's path is sent from the client to the server. The client creates this file in the system's tmp directory, which can be overridden with the TMPDIR environment variable. Mounting a host's path at the right location in the docker volume enables the Xpra server to find it.