[arch-general] sandboxing
sivmu
sivmu at web.de
Sat Feb 4 06:28:31 UTC 2017
Am 03.02.2017 um 17:49 schrieb Bart De Roy via arch-general:
> hello
>
> I've been postponing looking into browser isolation
> since I started using Wayland about a year ago.
>
> Does anyone have pointers, experiences or comments on
> this topic with regard to Xwayland? If I'd want to
> disassociate parts of chromiums execution context,
> what are common, good options?
>
> cheers, Bart
>
As long as the application has access to the xwayland instance, which is
by default the case when xwayland is available, it can influence all
other applications that still use the x-protcol.
Only the input/output of applications using only the wayland protocol
are somewhat safe from this attack vector.
To fully close this risk, full adaption of wayland in all applications
is necessary, because then you no longer need any xserver.
In the end this is really tricky and as has been mentioned, there is
currently no really good solution for sandboxing desktop applications
that can be easily applied.
For most isolation purposes, applications like bubblewrap, lxc or
systemd-nspawn can help, but you will still need to take care of X11,
dbus and some other issues taht are not all that easy.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20170204/c2efd147/attachment.asc>
More information about the arch-general
mailing list