Refracta Development, Scripts, etc.
Post a reply

for refracta ascii: xephyr?

Thu Jun 30, 2016 12:57 pm

xephyr isolates software using a nested x server.
Last edited by figlfdev on Fri Jul 01, 2016 9:50 am, edited 1 time in total.

Re: for refracta ascii: xephyr?

Thu Jun 30, 2016 3:57 pm

Maybe. It only adds about 4.5mb, and jwm only adds another 300k, so hard drive/CD space isn't a problem. Memory use shown by ps_mem.py right now is 36.3MiB for Xephyr and 1.6MiB for jwm. Meanwhile, iceweasel is using 192.1MiB for this one page that I'm on.

Did I mention it's really easy to use?

Code:
apt-get install xserver-xephyr
apt-get install jwm  # optional


Run it as ordinary user:
Code:
Xephyr :1 -resizeable
jwm -display :1


My bookmarks and history are all there. Pretty cool.

Re: for refracta ascii: xephyr?

Thu Jun 30, 2016 4:34 pm

from inside x:

Code:
Xephyr :2 -resizeable & sleep 2 ; icewm --display=:2 &


also possible with iceweasel instead of icewm, although in that case the mouse doesnt work as expected (it works sort of) and when you resize xephyr, iceweasel stays the same (smaller) size.

so its good to use a window manager. the second & lets you close the term youre running it from.

very cool, ive never used this. you might want to show the line i put here to furrywolf, who has an issue with firefox shutting down x. this should mitigate that.

Re: for refracta ascii: xephyr?

Thu Jul 14, 2016 6:03 pm

Is using Xephyr enough, or is it necessary to run sandbox (or something else) to really keep the browser isolated?

http://www.bress.net/blog/archives/195- ... edora.html
https://www.linux.com/learn/run-applica ... es-selinux
http://security.stackexchange.com/quest ... pplication

Re: for refracta ascii: xephyr?

Fri Jul 15, 2016 6:23 am

im sure that would help. i found out about xephyr recently, so i cant tell you about the other stuff.

Re: for refracta ascii: xephyr?

Fri Jul 15, 2016 7:23 am

https://wiki.archlinux.org/index.php/Firejail

The sandbox i keep seeing being mention the most is FireJail with Firetools as it already has profiles setup for popular applications such as firefox

Though it's not without issues as you can see from the Wiki with Paths , systemd and Audio workarounds.

Re: for refracta ascii: xephyr?

Fri Jul 15, 2016 6:54 pm

Firejail with firetools is brain-dead easy. Turns out I already installed it some time ago, but I haven't been using it. Right now, I'm running a xephyr sessing inside firejail.

Code:
firejail --seccomp Xephyr :2  -resizeable


It probably works the other way, too - run xephyr first, then run firefox in firejail. I'll try that.

Edit: Yes, it works the other way. Start xephyr, then start a window manager, then inside that, start firefox with firejail. I don't know which way is better.

Re: for refracta ascii: xephyr?

Sat Jul 16, 2016 6:49 am

I've seen people mention converting applications to AppImage and then running them in FireJail as an AppImage contains all the application dependencies in the App file and has very little reason to make system calls outside of the Appimage.

I've Also seen alot of mentions of Sytemd Nspawn Containers but i'm unsure if it's a container like AppImage or if it's more akin to systems policy profiles like FireJail.

Re: for refracta ascii: xephyr?

Thu Jul 21, 2016 8:18 pm

I've been using firejail and firetools in jessie, and I like it. One thing I don't like about firetools is the inability to edit which applications it shows. So I wrote firemenu.
https://gist.github.com/fsmithred/c22d8 ... 9d701234e1

It uses yad for a graphical frontend. If you want to use zenity, edit the DIALOG variable at the beginning of the script. It's not a complete replacement for firetools. All it can do is start apps in a firejail. But it checks etc/firejail for all .profile files, checks to see which apps are installed, and adds those apps to the menu.

Here's a sample .desktop file for the script. Change the Exec line if you put the script somewhere other than /usr/local/bin/
Code:
[Desktop Entry]
Name=FireMenu
Comment=Start applications in firejail.
Exec=/usr/local/bin/firemenu
Icon=network-vpn
Terminal=false
Type=Application
Categories=GTK;Utility;
StartupNotify=true


Firetools is not in the jessie repo. I got it from ascii (Testing), but that was a while ago, and it was version 0.9.30-1. The current version might not install without pulling in other stuff. The older version can be found here - http://snapshot.debian.org/package/firetools/

Re: for refracta ascii: xephyr?

Mon Jul 25, 2016 7:01 pm

Some system commands won't work when firejail is running, because it mounts a tmpfs over those files to protect them. (e.g. adduser or installing software)
https://firejail.wordpress.com/support/known-problems/

This problem is fixed in kernel 3.18 and newer.


I'm not sure about xephyr providing any protection by itself. Stuff I'm reading suggests that it needs to be combined with other methods, such as running in a docker container and/or running it as a different user.
Post a reply