Things like Xpra, etc.
I’m thinking specifically about the use with Wayland compositors. Is anyone here doing this currently? How’d you set it all up, what sandboxing tool you’re using and how’d you allow the sandbox to access it, etc.
I use DWL. A more simple route would be to just use GNOME desktop environment. I don’t, because before I switched to DWL I used DWM. And before DWM I use Xfce for years and years. But if you’re just starting out, and you don’t want to be bothered with setting up a Window Manager or Wayland Compositor, GNOME would be the best option.
For applications that don’t have Wayland integration yet, GNOME used Xwayland to run the apps which is still much improved because even though they’re X11 apps the compositor (Mutter I think) prevents Xwayland apps from intercepting native Wayland apps inputs.
I don’t rely a terribly large amount on sandboxes I just use Apparmor for most things. The issue with Sandboxes and MAC protocols in Xorg sessions is that they still don’t protect from keystroke sniffing on any application granted access to your screen.
So without the implementation of Wayland (or nested Xorg), the idea of “strong sandboxing” in Linux is a bit frivolous. Now, I also think sometimes people can carry the criticisms a little too far. Sticking with the actual facts, it’s likely you’ll never run into an issue with X11 provided you are very careful to not download a malicious app. This is easier to avoid on Linux due to how Linux users obtain most of their packages in the first place.
X11 apps typically run as non-root, which is good. But the drivers themselves run as root. So it is possible that a malicious app could exploit a security vulnerability and gain privilege escalation. At this point things have gotten real bad. How likely is this to happen? Hard to say, but certainly possible when you consider how fucking bloated X11 is and there’s probably loads of bugs that are security concerns. It’s like over 6 million lines of code afterall.
What ISN’T a security liability in X11 is remote access which I’ve seen being falsely pushed around in some places (not here). Remote attackers can’t gain access to the X11 system unless you’re X11 forwarding or you’ve done something really stupid like misconfigured xhost. X11 should ONLY be listening over local interfaces, lol.
is there any practical difference with regard to security between GNOME and KDE? in my experience nvidia on wayland seems to work better in KDE vs GNOME, and of course the personal preference for me leans more towards KDE of the two. but yeah definitely, if you don’t want to fuss about with compositors or window managers, a DE is certainly the way to go.
I already use wayland, but still need to run a few X apps… hence the thread, would be better if I could have a X server per sandbox, rather than offloading everything to XWayland.
1 Like
Not to my knowledge, no. The Wayland compositor in KDE is Kwin I think. It’s security model would be similar to Mutter in GNOME.
1 Like
Sorry, I misinterpreted. I thought you meant you were thinking about switching to a Wayland compositor. I have no experience running nested Xorg ( Xephyr, Xpra, etc.) inside a native Wayland session. Not sure what added benefit this would have from a security perspective, apps running Xwayland still have the security benefits of running in a native Wayland session. But I suppose for performance or breakage issues this may be needed. I kinda wished Linux had it’s own HVCI, probably the one decent thing about Windows lol.
1 Like
Yes, there is a huge difference.
GNOME is the only desktop that secures privileged wayland protocols like screencopy. This means that on non-GNOME systems, applications can access screen content of the entire desktop. This implicitly includes the content of other applications.
GNOME also provides thumbnailer sandboxing in Gnome Files, which mitigates attacks via thumbnailers.
1 Like
the fact that xwayland apps can snoop and send arbitrary inputs to each other is still unacceptable, because the moment you launch something outside the sandbox via xwayland, anything can escape the sandbox as long as it has access to the wayland socket. The solution I’ve found is to disable xwayland entirely and launch X apps via gamescope, which is kind of already built for this purpose. Can also launch sway instead which is better for regular desktop apps
I’m uninformed about this. what about the Wayland window managers without utilizing a full on DE? having to use a full DE let alone GNOME would be quite unpleasant.
It’s the same for everything except GNOME.
1 Like
for other compositors, you need to create a security context socket and pass that to the sandbox instead of your main privileged socket. flatpak will do that for you automatically, for other sandbox managers like firejail you need to create the socket and pass it yourself
1 Like