Enhancing X11 Application Security with LXC
33 points
4 hours ago
| 5 comments
| dobrowolski.dev
| HN
ChocolateGod
49 seconds ago
[-]
[delayed]
reply
mid-kid
2 hours ago
[-]
For an article written late last year I hoped for a little more awareness of how massive a security hole granting full, unfiltered access to the X11 server is. Granted, any sandboxing is better than none, but firefox is one of the few apps that already sandboxes itself really well, and with a blog title like that it might be good to touch upon things like nested X servers such as Xephyr.
reply
LtWorf
2 hours ago
[-]
Or one could just use firejail, which comes with a number of pre made profiles for common applications.
reply
nosioptar
1 hour ago
[-]
The sandbox command works well on systems using SELinux.

https://docs.redhat.com/en/documentation/red_hat_enterprise_...

reply
sunshine-o
2 hours ago
[-]
This is a great article.

I have little experience with lxc but I guess waypipe could be an option too.

reply
calvinmorrison
2 hours ago
[-]
Xlibre (the only current actively developed implementation of a X11 server) has a new extension - XNamespace to address some challenges as well.

https://github.com/X11Libre/xserver/blob/master/doc/Xnamespa...

reply
Chu4eeno
2 hours ago
[-]
Not the only one, there's also a new one (written in zig) I've forgot the name of.

edit: phoenix was the name: https://github.com/external-mirrors/phoenix#phoenix

reply
mappu
1 hour ago
[-]
There's also this new one: https://github.com/joske/yserver
reply