Welcome
Welcome to refracta

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

for refracta ascii: xephyr?

Refracta Development, Scripts, etc.

for refracta ascii: xephyr?

Postby figlfdev » Thu Jun 30, 2016 12:57 pm

xephyr isolates software using a nested x server.
Last edited by figlfdev on Fri Jul 01, 2016 9:50 am, edited 1 time in total.
figlfdev
 
Posts: 116
Joined: Tue May 31, 2016 6:23 pm

Re: for refracta ascii: xephyr?

Postby fsmithred » Thu Jun 30, 2016 3:57 pm

Maybe. It only adds about 4.5mb, and jwm only adds another 300k, so hard drive/CD space isn't a problem. Memory use shown by ps_mem.py right now is 36.3MiB for Xephyr and 1.6MiB for jwm. Meanwhile, iceweasel is using 192.1MiB for this one page that I'm on.

Did I mention it's really easy to use?

Code: Select all
apt-get install xserver-xephyr
apt-get install jwm  # optional


Run it as ordinary user:
Code: Select all
Xephyr :1 -resizeable
jwm -display :1


My bookmarks and history are all there. Pretty cool.
User avatar
fsmithred
 
Posts: 2101
Joined: Wed Mar 09, 2011 9:13 pm

Re: for refracta ascii: xephyr?

Postby figlfdev » Thu Jun 30, 2016 4:34 pm

from inside x:

Code: Select all
Xephyr :2 -resizeable & sleep 2 ; icewm --display=:2 &


also possible with iceweasel instead of icewm, although in that case the mouse doesnt work as expected (it works sort of) and when you resize xephyr, iceweasel stays the same (smaller) size.

so its good to use a window manager. the second & lets you close the term youre running it from.

very cool, ive never used this. you might want to show the line i put here to furrywolf, who has an issue with firefox shutting down x. this should mitigate that.
figlfdev
 
Posts: 116
Joined: Tue May 31, 2016 6:23 pm

Re: for refracta ascii: xephyr?

Postby fsmithred » Thu Jul 14, 2016 6:03 pm

Is using Xephyr enough, or is it necessary to run sandbox (or something else) to really keep the browser isolated?

http://www.bress.net/blog/archives/195- ... edora.html
https://www.linux.com/learn/run-applica ... es-selinux
http://security.stackexchange.com/quest ... pplication
User avatar
fsmithred
 
Posts: 2101
Joined: Wed Mar 09, 2011 9:13 pm

Re: for refracta ascii: xephyr?

Postby figlfdev » Fri Jul 15, 2016 6:23 am

im sure that would help. i found out about xephyr recently, so i cant tell you about the other stuff.
figlfdev
 
Posts: 116
Joined: Tue May 31, 2016 6:23 pm

Re: for refracta ascii: xephyr?

Postby AlexRey » Fri Jul 15, 2016 7:23 am

https://wiki.archlinux.org/index.php/Firejail

The sandbox i keep seeing being mention the most is FireJail with Firetools as it already has profiles setup for popular applications such as firefox

Though it's not without issues as you can see from the Wiki with Paths , systemd and Audio workarounds.
AlexRey
 
Posts: 72
Joined: Tue Jun 21, 2016 7:43 am

Re: for refracta ascii: xephyr?

Postby fsmithred » Fri Jul 15, 2016 6:54 pm

Firejail with firetools is brain-dead easy. Turns out I already installed it some time ago, but I haven't been using it. Right now, I'm running a xephyr sessing inside firejail.

Code: Select all
firejail --seccomp Xephyr :2  -resizeable


It probably works the other way, too - run xephyr first, then run firefox in firejail. I'll try that.

Edit: Yes, it works the other way. Start xephyr, then start a window manager, then inside that, start firefox with firejail. I don't know which way is better.
User avatar
fsmithred
 
Posts: 2101
Joined: Wed Mar 09, 2011 9:13 pm

Re: for refracta ascii: xephyr?

Postby AlexRey » Sat Jul 16, 2016 6:49 am

I've seen people mention converting applications to AppImage and then running them in FireJail as an AppImage contains all the application dependencies in the App file and has very little reason to make system calls outside of the Appimage.

I've Also seen alot of mentions of Sytemd Nspawn Containers but i'm unsure if it's a container like AppImage or if it's more akin to systems policy profiles like FireJail.
AlexRey
 
Posts: 72
Joined: Tue Jun 21, 2016 7:43 am

Re: for refracta ascii: xephyr?

Postby fsmithred » Thu Jul 21, 2016 8:18 pm

I've been using firejail and firetools in jessie, and I like it. One thing I don't like about firetools is the inability to edit which applications it shows. So I wrote firemenu.
https://gist.github.com/fsmithred/c22d8 ... 9d701234e1

It uses yad for a graphical frontend. If you want to use zenity, edit the DIALOG variable at the beginning of the script. It's not a complete replacement for firetools. All it can do is start apps in a firejail. But it checks etc/firejail for all .profile files, checks to see which apps are installed, and adds those apps to the menu.

Here's a sample .desktop file for the script. Change the Exec line if you put the script somewhere other than /usr/local/bin/
Code: Select all
[Desktop Entry]
Name=FireMenu
Comment=Start applications in firejail.
Exec=/usr/local/bin/firemenu
Icon=network-vpn
Terminal=false
Type=Application
Categories=GTK;Utility;
StartupNotify=true


Firetools is not in the jessie repo. I got it from ascii (Testing), but that was a while ago, and it was version 0.9.30-1. The current version might not install without pulling in other stuff. The older version can be found here - http://snapshot.debian.org/package/firetools/
User avatar
fsmithred
 
Posts: 2101
Joined: Wed Mar 09, 2011 9:13 pm

Re: for refracta ascii: xephyr?

Postby fsmithred » Mon Jul 25, 2016 7:01 pm

Some system commands won't work when firejail is running, because it mounts a tmpfs over those files to protect them. (e.g. adduser or installing software)
https://firejail.wordpress.com/support/known-problems/

This problem is fixed in kernel 3.18 and newer.


I'm not sure about xephyr providing any protection by itself. Stuff I'm reading suggests that it needs to be combined with other methods, such as running in a docker container and/or running it as a different user.
User avatar
fsmithred
 
Posts: 2101
Joined: Wed Mar 09, 2011 9:13 pm

Next

Return to Discuss

Who is online

Users browsing this forum: No registered users and 0 guests

cron
suspicion-preferred