Date: Fri, 05 Jun 2020 15:10:05 -0500 From: squiggly foo <foo.squiggly@yandex.com> To: freebsd-jail <freebsd-jail@freebsd.org> Subject: Running GUI applications in jails Message-ID: <18251591386410@mail.yandex.com>
next in thread | raw e-mail | index | archive | help
Thanks to Dave for pointing out that my HTML message was stripped. I am trying this again. Hi All, I'm using FreeBSD as a workstation trying to keep everything as lightweight and segregated as possible. So I am running GUI applications inside a jail. My current solution to this is null mounting the Xorg socket inside the jail which allows the GUI applications to run on the host Xorg without issue. Unfortunately this is also probably the least secure solution as one jail could access the key strokes of another jail through the Xorg on the host. I researched other solutions to this issue and listed them out below with the advantages and disadvantages. I would like to hear everyones comments/ideas because maybe there are betters ways. 1) Using Xpra + So far this seems like the most secure solution as every GUI application would have its own xorg instance and cannot see each others key strokes. + I assume it's clipboard safe...? - Good lord the dependencies! This is probably by far the most heavy weight solution. 2) Using Xephyr (Xnest) +This solution is also just as secure as Xpra as every GUI jailed app will have its own xorg instance. + Much less dependencies than Xpra and therefore more light weight + I assume it's clipboard safe...? - It will produce a whole X window with windows manager in addition to just the app that I want to run which is space inefficient for monitor real estate. 3) Null Mounting the Xorg socket in the jail + The easiest and the most lightweight solution - The least secure so far according to my research - Not clipboard safe 4) SSH -X Forwarding + Just slightly more weighty than null mounting a socket inside the jail - It uses X11 security which makes it slightly more secure than a null mount but it could still see the keystrokes I'm typing into another jail or host. - Slower X performance..? - Not clipboard safe 5) Using multiple X servers on different ttys Using this solution I could group jails according to the level of security that they need. On one Xorg instance say on tty3 I could have my most secure/trusted GUI jails and on tty4 I could have less secure less trusted GUI jails. Yes the jails inside of the same Xorg instance can potentially see each others keystrokes but at least I have the lest trusted jails in another Xorg instance. +Not really that heavy of a solution dependency wise because I already have Xorg installed on the host anyways and just running it multiple times +I'm assuming the separate Xorg instances don't see each other's keystrokes...? +/- I assume it's clipboard safe between the separate Xorg instances but not in the same Xorg instance. -Less flexible of a solution which can affect my workflow, but maybe not so bad. 6) Use Null mounts for the Xorg socket but use a script to 'KILL -17' (suspend) all jails and their processes except for the one jail that I wish to work with at a time. Then resume them afterwards. +This is a pretty lightweight solution if slightly complex -A suspended app can still receive keystrokes but will not register them until unpaused. The only assurance I have is that the suspended jailed GUI app cannot request to become the active window (I Think..?) and so as long as I type into the correct non-suspended jail, the other suspended jails cannot see keystrokes. Comments? Questions? How does everyone else do it?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?18251591386410>