Running GUI applications in jails

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Running GUI applications in jails

squiggly foo
Thanks to Dave for pointing out that my HTML message was stripped. I am trying this again.

Hi All,

I'm using FreeBSD as a workstation trying to keep everything as lightweight and
segregated as possible. So I am running GUI applications inside a jail. My current
solution to this is null mounting the Xorg socket inside the jail which allows the
GUI applications to run on the host Xorg without issue. Unfortunately this is also
probably the least secure solution as one jail could access the key strokes of
another jail through the Xorg on the host.

I researched other solutions to this issue and listed them out below with the advantages
and disadvantages. I would like to hear everyones comments/ideas because maybe
there are betters ways.

1) Using Xpra
+ So far this seems like the most secure solution as every GUI application would have
its own xorg instance and cannot see each others key strokes.
+ I assume it's clipboard safe...?

- Good lord the dependencies! This is probably by far the most heavy weight solution.


2) Using Xephyr (Xnest)
+This solution is also just as secure as Xpra as every GUI jailed app will have its own
xorg instance.
+ Much less dependencies than Xpra and therefore more light weight
+ I assume it's clipboard safe...?

- It will produce a whole X window with windows manager in addition to just the app
that I want to run which is space inefficient for monitor real estate.


3) Null Mounting the Xorg socket in the jail
+ The easiest and the most lightweight solution

- The least secure so far according to my research
- Not clipboard safe


4) SSH -X Forwarding
+ Just slightly more weighty than null mounting a socket inside the jail

- It uses X11 security which makes it slightly more secure than a null mount
but it could still see the keystrokes I'm typing into another jail or host.
- Slower X performance..?
- Not clipboard safe


5) Using multiple X servers on different ttys
Using this solution I could group jails according to the level of security that they need.
On one Xorg instance say on tty3 I could have my most secure/trusted GUI jails and on tty4
I could have less secure less trusted GUI jails. Yes the jails inside of the same Xorg instance can
potentially see each others keystrokes but at least I have the lest trusted jails in another Xorg
instance.

+Not really that heavy of a solution dependency wise because I already have Xorg installed on
the host anyways and just running it multiple times
+I'm assuming the separate Xorg instances don't see each other's keystrokes...?
+/- I assume it's clipboard safe between the separate Xorg instances but not
in the same Xorg instance.

-Less flexible of a solution which can affect my workflow, but maybe not so bad.


6) Use Null mounts for the Xorg socket but use a script to 'KILL -17' (suspend) all jails and their
processes except for the one jail that I wish to work with at a time. Then resume them
afterwards.

+This is a pretty lightweight solution if slightly complex

-A suspended app can still receive keystrokes but will not register them until unpaused.
The only assurance I have is that the suspended jailed GUI app cannot request to
become the active window (I Think..?) and so as long as I type into the correct
non-suspended jail, the other suspended jails cannot see keystrokes.


Comments? Questions? How does everyone else do it?
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Running GUI applications in jails

freebsd-jail mailing list
Quoting squiggly foo <[hidden email]> (from Fri, 05 Jun 2020  
15:10:05 -0500):

> Thanks to Dave for pointing out that my HTML message was stripped. I  
> am trying this again.
>
> Hi All,
>
> I'm using FreeBSD as a workstation trying to keep everything as  
> lightweight and
> segregated as possible. So I am running GUI applications inside a  
> jail. My current
> solution to this is null mounting the Xorg socket inside the jail  
> which allows the
> GUI applications to run on the host Xorg without issue.  
> Unfortunately this is also
> probably the least secure solution as one jail could access the key  
> strokes of
> another jail through the Xorg on the host.
>
> I researched other solutions to this issue and listed them out below  
> with the advantages
> and disadvantages. I would like to hear everyones comments/ideas  
> because maybe
> there are betters ways.
You haven't told where the graphical output needs to happen. The X11  
protocol is distinguishing between the X server (e.g. the component  
which does the output to a grpahics card) and the X client (the  
component which wants to display something e.g. a movie player or  
whatever program you use to produce the output for display). So the  
question here is if you just need to have a X client running there, or  
the X server. You didn't describe the problem you have (I try to find  
out how the problem looks like outside the box), but you describe  
already alternatives in a limited solution sphere (you are inside the  
box and try to find a solution).

[...]

> 5) Using multiple X servers on different ttys
> Using this solution I could group jails according to the level of  
> security that they need.
> On one Xorg instance say on tty3 I could have my most secure/trusted  
> GUI jails and on tty4
> I could have less secure less trusted GUI jails. Yes the jails  
> inside of the same Xorg instance can
> potentially see each others keystrokes but at least I have the lest  
> trusted jails in another Xorg
> instance.
>
> +Not really that heavy of a solution dependency wise because I  
> already have Xorg installed on
> the host anyways and just running it multiple times
> +I'm assuming the separate Xorg instances don't see each other's  
> keystrokes...?
> +/- I assume it's clipboard safe between the separate Xorg instances but not
> in the same Xorg instance.
> -Less flexible of a solution which can affect my workflow, but maybe  
> not so bad.
You need to have a graphics card for each instance (I'm not aware that  
two Xorg instances can share the same hardware, but I have never  
looked specially for something like this, so I may have overlooked  
that it can, or it started to be able to do that in the last 10 years.
And yes, they will not see the keystrokes of the other instance.

> 6) Use Null mounts for the Xorg socket but use a script to 'KILL  
> -17' (suspend) all jails and their
> processes except for the one jail that I wish to work with at a  
> time. Then resume them
> afterwards.
>
> +This is a pretty lightweight solution if slightly complex
>
> -A suspended app can still receive keystrokes but will not register  
> them until unpaused.
> The only assurance I have is that the suspended jailed GUI app  
> cannot request to
> become the active window (I Think..?) and so as long as I type into  
> the correct
> non-suspended jail, the other suspended jails cannot see keystrokes.
I wouldn't go that way. Too complicated.

I have patches for FreeBSD which allow to run Xorg in a jail. This  
would be another option as such, but not one which provides more  
security (it's even less, as it opens up the memory of the entire  
machine to this jail, so this jail can see all other jails if you  
write a clever program, I use that in the sense of containerization of  
Xorg and a desktop environment, not for security).

There is also the possibility to run Xvnc in each jail. Each GUI  
program would then connect to the local vnc server instance (or  
better: is started inside the local vnc server instance), and then  
from the system you want to see the output (which can be a local Xorg  
server, or a Windows laptop or an ipad or whatever is able to run a  
vncviewer program) you connect with a vnc viewer to the vnc instance  
of the jail. The applications inside each vnc instance will only see  
keystrokes when the vnc viewer window for this particular instance is  
active. So if you are in the window of vnc viewer instance A the  
instance B will not see keystrokes.

Bye,
Alexander.

--
http://www.Leidinger.net [hidden email]: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    [hidden email]  : PGP 0x8F31830F9F2772BF

attachment0 (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Running GUI applications in jails

squiggly foo
Hi Alexander,

You seem to have a lot of experience with X11 so I'm happy to hear your advice.
To answer your first question about where the graphical output needs to happen:

I am not sure I am understanding your question, but I am using one computer for
all of this.  The Xserver component of X11 is running on this computer on the host
(not jailed) and the xclients are the jailed gui applications.  My basic problem is to
make sure that jailed gui applications cannot access the keystokes of other jailed gui
applications. I guess I am confused by your question (maybe cause i'm thinking inside
the box) but what other options are there for running the Xserver and Xclients on a single
computer.  Or maybe you are suggesting multiple computers running Xservers?  Please
let me know whatever your are thinking as a solution because I am open to ideas and
thinking outside the box.


Maybe I was also incorrect about running multiple Xservers on the same machine on
different ttys but I thought that was an option.  I should check with X11 mailing
list.

It's funny that you mention running a Xvnc server inside of a jail with each gui
application.  I have actually done that before but I never considered it as a possible
option for solving my problem until now that you mentioned it.  So I will look into that
more.  My only issue with this: the application that I want jailed the most is my
"general browsing" firefox instance used for media websites like youtube but I am not
sure how well a 1080p video will look over a vnc connection.  But I haven't tested this
idea in awhile.

I suppose using Xephyr would be a similar yet heavier solution that just using your
Xvnc server idea inside each jail.  Would you agree?

I might also look into statically compiling Xpra (if possible) so that it at least feels
cleaner that all the dependencies are inside one binary instead of all over my system.

Again I am open to all ideas and suggestion.  Please feel free to ask more questions if
you need more details about what I am trying to do.



06.06.2020, 12:22, "Alexander Leidinger" <[hidden email]>:

> Quoting squiggly foo <[hidden email]> (from Fri, 05 Jun 2020
> 15:10:05 -0500):
>
>>  Thanks to Dave for pointing out that my HTML message was stripped. I
>>  am trying this again.
>>
>>  Hi All,
>>
>>  I'm using FreeBSD as a workstation trying to keep everything as
>>  lightweight and
>>  segregated as possible. So I am running GUI applications inside a
>>  jail. My current
>>  solution to this is null mounting the Xorg socket inside the jail
>>  which allows the
>>  GUI applications to run on the host Xorg without issue.
>>  Unfortunately this is also
>>  probably the least secure solution as one jail could access the key
>>  strokes of
>>  another jail through the Xorg on the host.
>>
>>  I researched other solutions to this issue and listed them out below
>>  with the advantages
>>  and disadvantages. I would like to hear everyones comments/ideas
>>  because maybe
>>  there are betters ways.
>
> You haven't told where the graphical output needs to happen. The X11
> protocol is distinguishing between the X server (e.g. the component
> which does the output to a grpahics card) and the X client (the
> component which wants to display something e.g. a movie player or
> whatever program you use to produce the output for display). So the
> question here is if you just need to have a X client running there, or
> the X server. You didn't describe the problem you have (I try to find
> out how the problem looks like outside the box), but you describe
> already alternatives in a limited solution sphere (you are inside the
> box and try to find a solution).
>
> [...]
>>  5) Using multiple X servers on different ttys
>>  Using this solution I could group jails according to the level of
>>  security that they need.
>>  On one Xorg instance say on tty3 I could have my most secure/trusted
>>  GUI jails and on tty4
>>  I could have less secure less trusted GUI jails. Yes the jails
>>  inside of the same Xorg instance can
>>  potentially see each others keystrokes but at least I have the lest
>>  trusted jails in another Xorg
>>  instance.
>>
>>  +Not really that heavy of a solution dependency wise because I
>>  already have Xorg installed on
>>  the host anyways and just running it multiple times
>>  +I'm assuming the separate Xorg instances don't see each other's
>>  keystrokes...?
>>  +/- I assume it's clipboard safe between the separate Xorg instances but not
>>  in the same Xorg instance.
>>  -Less flexible of a solution which can affect my workflow, but maybe
>>  not so bad.
>
> You need to have a graphics card for each instance (I'm not aware that
> two Xorg instances can share the same hardware, but I have never
> looked specially for something like this, so I may have overlooked
> that it can, or it started to be able to do that in the last 10 years.
> And yes, they will not see the keystrokes of the other instance.
>
>>  6) Use Null mounts for the Xorg socket but use a script to 'KILL
>>  -17' (suspend) all jails and their
>>  processes except for the one jail that I wish to work with at a
>>  time. Then resume them
>>  afterwards.
>>
>>  +This is a pretty lightweight solution if slightly complex
>>
>>  -A suspended app can still receive keystrokes but will not register
>>  them until unpaused.
>>  The only assurance I have is that the suspended jailed GUI app
>>  cannot request to
>>  become the active window (I Think..?) and so as long as I type into
>>  the correct
>>  non-suspended jail, the other suspended jails cannot see keystrokes.
>
> I wouldn't go that way. Too complicated.
>
> I have patches for FreeBSD which allow to run Xorg in a jail. This
> would be another option as such, but not one which provides more
> security (it's even less, as it opens up the memory of the entire
> machine to this jail, so this jail can see all other jails if you
> write a clever program, I use that in the sense of containerization of
> Xorg and a desktop environment, not for security).
>
> There is also the possibility to run Xvnc in each jail. Each GUI
> program would then connect to the local vnc server instance (or
> better: is started inside the local vnc server instance), and then
> from the system you want to see the output (which can be a local Xorg
> server, or a Windows laptop or an ipad or whatever is able to run a
> vncviewer program) you connect with a vnc viewer to the vnc instance
> of the jail. The applications inside each vnc instance will only see
> keystrokes when the vnc viewer window for this particular instance is
> active. So if you are in the window of vnc viewer instance A the
> instance B will not see keystrokes.
>
> Bye,
> Alexander.
>
> --
> http://www.Leidinger.net [hidden email]: PGP 0x8F31830F9F2772BF
> http://www.FreeBSD.org [hidden email] : PGP 0x8F31830F9F2772BF
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-jail
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Running GUI applications in jails

freebsd-jail mailing list
Quoting squiggly foo <[hidden email]> (from Mon, 08 Jun 2020  
21:35:23 -0500):

> Hi Alexander,
>
> You seem to have a lot of experience with X11 so I'm happy to hear  
> your advice.
> To answer your first question about where the graphical output needs  
> to happen:
>
> I am not sure I am understanding your question, but I am using one  
> computer for
> all of this.  The Xserver component of X11 is running on this  
> computer on the host
> (not jailed) and the xclients are the jailed gui applications.  My  
> basic problem is to
> make sure that jailed gui applications cannot access the keystokes  
> of other jailed gui
> applications. I guess I am confused by your question (maybe cause  
> i'm thinking inside
> the box) but what other options are there for running the Xserver  
> and Xclients on a single
> computer.  Or maybe you are suggesting multiple computers running  
> Xservers?  Please
> let me know whatever your are thinking as a solution because I am  
> open to ideas and
> thinking outside the box.
With X11 it doesn't matter if you talk about 1 or multiple computers.  
Within the same network and with a fast enough speed of the network,  
it should work (edge-cases may differ).


> Maybe I was also incorrect about running multiple Xservers on the  
> same machine on
> different ttys but I thought that was an option.  I should check  
> with X11 mailing
> list.
>
> It's funny that you mention running a Xvnc server inside of a jail  
> with each gui
> application.  I have actually done that before but I never  
> considered it as a possible
> option for solving my problem until now that you mentioned it.  So I  
> will look into that
> more.  My only issue with this: the application that I want jailed  
> the most is my
> "general browsing" firefox instance used for media websites like  
> youtube but I am not
> sure how well a 1080p video will look over a vnc connection.  But I  
> haven't tested this
> idea in awhile.
For your particular use cases you will only know if you test it. As  
you are doing this locally, the "network" speed is a combination of  
the internal bus / CPU / memory speed, and some vnc settings like  
compression may play arole here too, but my gut feeling is, that this  
could work.

> I suppose using Xephyr would be a similar yet heavier solution that  
> just using your
> Xvnc server idea inside each jail.  Would you agree?
>
> I might also look into statically compiling Xpra (if possible) so  
> that it at least feels
> cleaner that all the dependencies are inside one binary instead of  
> all over my system.

I do not know Xephyr or Xpra. I had a very quick look at the  
homepages, and it looks like they are "just" a normal X server (with  
some special features) and use the X11 protocol. As such I do not  
expect that their use will solve your problem (read: I expect that you  
will be able to see keystrokes across all jails).

Bye,
Alexander.

--
http://www.Leidinger.net [hidden email]: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    [hidden email]  : PGP 0x8F31830F9F2772BF

attachment0 (836 bytes) Download Attachment