Date: Sat, 06 Jun 2020 19:22:22 +0200 From: Alexander Leidinger <Alexander@leidinger.net> To: freebsd-jail@freebsd.org, foo.squiggly@yandex.com Subject: Re: Running GUI applications in jails Message-ID: <20200606192222.Horde.68H7pQpeZSUfwBodPHen_Lh@webmail.leidinger.net> In-Reply-To: <18251591386410@mail.yandex.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format and has been PGP signed. --=_gY-uWUUW1NIB4D8LdYnp_9z Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting squiggly foo <foo.squiggly@yandex.com> (from Fri, 05 Jun 2020=20=20 15:10:05=20-0500): > Thanks to Dave for pointing out that my HTML message was stripped. I=20= =20 >=20am trying this again. > > Hi All, > > I'm using FreeBSD as a workstation trying to keep everything as=20=20 >=20lightweight and > segregated as possible. So I am running GUI applications inside a=20=20 >=20jail. My current > solution to this is null mounting the Xorg socket inside the jail=20=20 >=20which allows the > GUI applications to run on the host Xorg without issue.=20=20 >=20Unfortunately this is also > probably the least secure solution as one jail could access the key=20=20 >=20strokes of > another jail through the Xorg on the host. > > I researched other solutions to this issue and listed them out below=20= =20 >=20with the advantages > and disadvantages. I would like to hear everyones comments/ideas=20=20 >=20because maybe > there are betters ways. You haven't told where the graphical output needs to happen. The X11=20=20 protocol=20is distinguishing between the X server (e.g. the component=20=20 which=20does the output to a grpahics card) and the X client (the=20=20 component=20which wants to display something e.g. a movie player or=20=20 whatever=20program you use to produce the output for display). So the=20=20 question=20here is if you just need to have a X client running there, or=20= =20 the=20X server. You didn't describe the problem you have (I try to find=20= =20 out=20how the problem looks like outside the box), but you describe=20=20 already=20alternatives in a limited solution sphere (you are inside the=20= =20 box=20and try to find a solution). [...] > 5) Using multiple X servers on different ttys > Using this solution I could group jails according to the level of=20=20 >=20security that they need. > On one Xorg instance say on tty3 I could have my most secure/trusted=20= =20 >=20GUI jails and on tty4 > I could have less secure less trusted GUI jails. Yes the jails=20=20 >=20inside of the same Xorg instance can > potentially see each others keystrokes but at least I have the lest=20=20 >=20trusted jails in another Xorg > instance. > > +Not really that heavy of a solution dependency wise because I=20=20 >=20already have Xorg installed on > the host anyways and just running it multiple times > +I'm assuming the separate Xorg instances don't see each other's=20=20 >=20keystrokes...? > +/- I assume it's clipboard safe between the separate Xorg instances but = not > in the same Xorg instance. > -Less flexible of a solution which can affect my workflow, but maybe=20= =20 >=20not so bad. You need to have a graphics card for each instance (I'm not aware that=20= =20 two=20Xorg instances can share the same hardware, but I have never=20=20 looked=20specially for something like this, so I may have overlooked=20=20 that=20it can, or it started to be able to do that in the last 10 years. And yes, they will not see the keystrokes of the other instance. > 6) Use Null mounts for the Xorg socket but use a script to 'KILL=20=20 >=20-17' (suspend) all jails and their > processes except for the one jail that I wish to work with at a=20=20 >=20time. Then resume them > afterwards. > > +This is a pretty lightweight solution if slightly complex > > -A suspended app can still receive keystrokes but will not register=20=20 >=20them until unpaused. > The only assurance I have is that the suspended jailed GUI app=20=20 >=20cannot request to > become the active window (I Think..?) and so as long as I type into=20=20 >=20the correct > non-suspended jail, the other suspended jails cannot see keystrokes. I wouldn't go that way. Too complicated. I have patches for FreeBSD which allow to run Xorg in a jail. This=20=20 would=20be another option as such, but not one which provides more=20=20 security=20(it's even less, as it opens up the memory of the entire=20=20 machine=20to this jail, so this jail can see all other jails if you=20=20 write=20a clever program, I use that in the sense of containerization of=20= =20 Xorg=20and a desktop environment, not for security). There is also the possibility to run Xvnc in each jail. Each GUI=20=20 program=20would then connect to the local vnc server instance (or=20=20 better:=20is started inside the local vnc server instance), and then=20=20 from=20the system you want to see the output (which can be a local Xorg=20= =20 server,=20or a Windows laptop or an ipad or whatever is able to run a=20=20 vncviewer=20program) you connect with a vnc viewer to the vnc instance=20= =20 of=20the jail. The applications inside each vnc instance will only see=20= =20 keystrokes=20when the vnc viewer window for this particular instance is=20= =20 active.=20So if you are in the window of vnc viewer instance A the=20=20 instance=20B will not see keystrokes. Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_gY-uWUUW1NIB4D8LdYnp_9z Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJe29DNAAoJEBINsJsD+NiGdwQQAIhK0j728QlGh22+3v2prmB2 m5Yw6RzL137sSTDEJWosX2M0vnbQHgU2iq1q+7jNL0PK5OuSrlEHRNLvKsN6Dxrl 7oMTfUib+Erc+E2JJAxnAmJnANh+kJYD7RcVviimmEYG9+rM2frdVqCAkk1Uo6yr 8x5sOTNreU5llY8mBSR5R5ACQodJRPvWfrsnMMEskZnt+CMGY3Ns5A7P+3kVo0QD CHlu4HU1BQSjkGdbvPAEHCe8cbY4/YeRLJ49sgSdZMkm2u0L2gbTTaKswCni4vKE uACIOsiiEDynov5R6LNHx4L7a+xr4jpZcoXaeIEIVfq5IMsqEMuloUzVhXZ9hNam y5JhrrT3KJLC89d0uZPoypCnyt4EnzVITBVfaI2AVQmObiNIDE+ZV5YN0YPFixo3 p8VzGRzFrK8pJJoMQTG/mD7wedF947L5/LnEYvaCboYk4eWji5kaISio7C0YJGNN THdyiqwuFf9rDvwmYxQdskGLKVted04facdIUS9L+vVkbQSsz01+lTXuUkquN0Vg W6bLhlobe6gjmLjmryHyw1wswkLFnl69/tjhQNV+WOlHS9WKZ7jsJnVf8Maorq9c pgdkUz5VGU6cKL1n1S9/J0OVW70uYO8Zyxtqohb/qYPNchP0hzlznj6We3lQppvs v/C+aZeh8g6qNdVSahZu =iL+/ -----END PGP SIGNATURE----- --=_gY-uWUUW1NIB4D8LdYnp_9z--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200606192222.Horde.68H7pQpeZSUfwBodPHen_Lh>