Enhancing X11 Application Security with LXC

 (dobrowolski.dev)

33 points | by shirozuki 4 hours ago

5 comments

  • ChocolateGod 11 minutes ago
    Correct me if I'm wrong, but passing through the X socket gives a giant sandbox escape as any application can control/see any other application, including a root terminal in a GUI app.
  • mid-kid 2 hours ago
    For an article written late last year I hoped for a little more awareness of how massive a security hole granting full, unfiltered access to the X11 server is. Granted, any sandboxing is better than none, but firefox is one of the few apps that already sandboxes itself really well, and with a blog title like that it might be good to touch upon things like nested X servers such as Xephyr.
  • LtWorf 2 hours ago
    Or one could just use firejail, which comes with a number of pre made profiles for common applications.
    [-]
  • sunshine-o 2 hours ago
    This is a great article.

    I have little experience with lxc but I guess waypipe could be an option too.

  • calvinmorrison 2 hours ago
    Xlibre (the only current actively developed implementation of a X11 server) has a new extension - XNamespace to address some challenges as well.

    https://github.com/X11Libre/xserver/blob/master/doc/Xnamespa...

    [-]
    • Chu4eeno 2 hours ago
      Not the only one, there's also a new one (written in zig) I've forgot the name of.

      edit: phoenix was the name: https://github.com/external-mirrors/phoenix#phoenix

      [-]
      • mappu 1 hour ago
        There's also this new one: https://github.com/joske/yserver
        [-]
        • asveikau 3 minutes ago
          Hard for me to take that one seriously.. For example they call out byte swapping for endianness as the type of cruft holding back X11. Such a trivial thing to be concerned enough to put in the readme... (I guess Phoenix is also putting this..) Seems like mostly authored by Claude too.