Running GUI applications in jails

Alexander Leidinger Alexander at leidinger.net
Sat Jun 6 17:22:27 UTC 2020 

Quoting squiggly foo <foo.squiggly at yandex.com> (from Fri, 05 Jun 2020  
15:10:05 -0500):

> Thanks to Dave for pointing out that my HTML message was stripped. I  
> am trying this again.
>
> Hi All,
>
> I'm using FreeBSD as a workstation trying to keep everything as  
> lightweight and
> segregated as possible. So I am running GUI applications inside a  
> jail. My current
> solution to this is null mounting the Xorg socket inside the jail  
> which allows the
> GUI applications to run on the host Xorg without issue.  
> Unfortunately this is also
> probably the least secure solution as one jail could access the key  
> strokes of
> another jail through the Xorg on the host.
>
> I researched other solutions to this issue and listed them out below  
> with the advantages
> and disadvantages. I would like to hear everyones comments/ideas  
> because maybe
> there are betters ways.

You haven't told where the graphical output needs to happen. The X11  
protocol is distinguishing between the X server (e.g. the component  
which does the output to a grpahics card) and the X client (the  
component which wants to display something e.g. a movie player or  
whatever program you use to produce the output for display). So the  
question here is if you just need to have a X client running there, or  
the X server. You didn't describe the problem you have (I try to find  
out how the problem looks like outside the box), but you describe  
already alternatives in a limited solution sphere (you are inside the  
box and try to find a solution).

[...]
> 5) Using multiple X servers on different ttys
> Using this solution I could group jails according to the level of  
> security that they need.
> On one Xorg instance say on tty3 I could have my most secure/trusted  
> GUI jails and on tty4
> I could have less secure less trusted GUI jails. Yes the jails  
> inside of the same Xorg instance can
> potentially see each others keystrokes but at least I have the lest  
> trusted jails in another Xorg
> instance.
>
> +Not really that heavy of a solution dependency wise because I  
> already have Xorg installed on
> the host anyways and just running it multiple times
> +I'm assuming the separate Xorg instances don't see each other's  
> keystrokes...?
> +/- I assume it's clipboard safe between the separate Xorg instances but not
> in the same Xorg instance.
> -Less flexible of a solution which can affect my workflow, but maybe  
> not so bad.

You need to have a graphics card for each instance (I'm not aware that  
two Xorg instances can share the same hardware, but I have never  
looked specially for something like this, so I may have overlooked  
that it can, or it started to be able to do that in the last 10 years.
And yes, they will not see the keystrokes of the other instance.

> 6) Use Null mounts for the Xorg socket but use a script to 'KILL  
> -17' (suspend) all jails and their
> processes except for the one jail that I wish to work with at a  
> time. Then resume them
> afterwards.
>
> +This is a pretty lightweight solution if slightly complex
>
> -A suspended app can still receive keystrokes but will not register  
> them until unpaused.
> The only assurance I have is that the suspended jailed GUI app  
> cannot request to
> become the active window (I Think..?) and so as long as I type into  
> the correct
> non-suspended jail, the other suspended jails cannot see keystrokes.

I wouldn't go that way. Too complicated.

I have patches for FreeBSD which allow to run Xorg in a jail. This  
would be another option as such, but not one which provides more  
security (it's even less, as it opens up the memory of the entire  
machine to this jail, so this jail can see all other jails if you  
write a clever program, I use that in the sense of containerization of  
Xorg and a desktop environment, not for security).

There is also the possibility to run Xvnc in each jail. Each GUI  
program would then connect to the local vnc server instance (or  
better: is started inside the local vnc server instance), and then  
from the system you want to see the output (which can be a local Xorg  
server, or a Windows laptop or an ipad or whatever is able to run a  
vncviewer program) you connect with a vnc viewer to the vnc instance  
of the jail. The applications inside each vnc instance will only see  
keystrokes when the vnc viewer window for this particular instance is  
active. So if you are in the window of vnc viewer instance A the  
instance B will not see keystrokes.

Bye,
Alexander.

-- 
http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild at FreeBSD.org  : PGP 0x8F31830F9F2772BF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.freebsd.org/pipermail/freebsd-jail/attachments/20200606/eac810fe/attachment.sig>

More information about the freebsd-jail mailing list