Does Wayland work in Jails?

I

ikevin8me

I have been reading that Wayland is a replacement for X, so I searched the Web but there's nothing about configuraing Wayland to work in Jails. Does Wayland work in jails? If not, should I still stick with X? Some advice would be appreciated.
 
Usually you can't even use a computer in jail, but if you manage to bribe the guards, then it might be possible...

On a serious note, why would you want to do that? Do you mean separate desktop apps in jail (like Firefox), while running in Wayland? Or the whole desktop environment? I think when you run X app in jail, you have to forward the session somehow. I'm not sure if that's possible in Wayland.
 
ikevin8me said:
I have been reading that Wayland is a replacement for X, so I searched the Web but there's nothing about configuraing Wayland to work in Jails. Does Wayland work in jails? If not, should I still stick with X? Some advice would be appreciated.
Click to expand...
At the moment I can't use Wayland on my systems, but I can use x11.

Currently I run xrdp with some applications: telegram-desktop-qt6, lxde, xpdf and librewolf. Some time ago I need to install libreoffice and it works quite well. All of them inside a jail.
I have even run lxde and xfce4 in a jail without xrdp: using Xephyr, but I prefer xrdp because it suits my needs.

The common thing is to use jails per service/function (ex: MySQL, jellyfin, etc.), but for a full desktop environment (or WM) with other GUI applications I think separating jails per applications is a bit difficult, you can, but it is preferable to install them all inside the jail as it is much easier for those applications to respect the DE/WM environment, the configuration and for the application launcher to recognize those applications.
 
algi said:
Usually you can't even use a computer in jail, but if you manage to bribe the guards, then it might be possible...

On a serious note, why would you want to do that? Do you mean separate desktop apps in jail (like Firefox), while running in Wayland? Or the whole desktop environment? I think when you run X app in jail, you have to forward the session somehow. I'm not sure if that's possible in Wayland.
Click to expand...
For security reasons, I'd like to isolate some apps within some form of containerization (like jails). Is it possible to set up an app - say, for example, like Firefox - to run inside a jail and a window will show up? I don't care if it is using forward session or something else, I just would like an app inside a jail to show up in the graphical environment.
 
What you might want is to run the X server or Wayland on the main system itself and run FF in a jail. But the jail must be enough of a duplicate of your base O/S plus the FF packages and all it prerequisites needed to run it installed in the jail. If you want each app to run in its own jail you're probably looking at 3-8 GB of space per jail.

It is possible to create a template and mount each jail using the template on top of each jail.

Your jail would need access to your network for access to the Internet you would need to give it access to your Xserver via xhost(1) or xauth(1) (if you can sync the magic cookies without compromising them). IMO this is a lot of work for very little gain in security but probably a good exercise to gain a good understanding on setting up jails. Setting up a server jail, like an apache or nginx jail, would be a lot less work for the same educational value.

You're better off running a FF with a script blocker like noscript and keeping your FF patched and up to date than spending the time on running only it in a jail.

Oh, and what if you download a file, like a patch from bugzilla? How do you share your home directory without compromising your jail with an unintended backdoor? Sharing directories, like a home directory, with a jail is like locking the front door and leaving the back door unlocked and propped open.
 
cy@ said:
Oh, and what if you download a file, like a patch from bugzilla? How do you share your home directory without compromising your jail with an unintended backdoor? Sharing directories, like a home directory, with a jail is like locking the front door and leaving the back door unlocked and propped open.
Click to expand...

I do it by creating jail users with the same uid as my non-privileged user on the host. Also create dirs and chmod them to the correct uid. Now permissions just work, and I can view / modify jail files from the host.
 
patmaddox said:
I do it by creating jail users with the same uid as my non-privileged user on the host. Also create dirs and chmod them to the correct uid. Now permissions just work, and I can view / modify jail files from the host.
Click to expand...
I wasn't asking how this was done, mechanically, but how would you mitigate the risks of sharing directories between a jail and the host system?

Jails are built on top of chroot(). And using a shared directory between a jail and the host system does open the host system up to compromised because the chroot/jail can be broken out of.

This is why best practices dictate that this should not be done.
 
I don't share directories between the jail and host. The host can dig into the jail, but the jail can't see outside of its chroot. That's part of the beauty of jails.

Your initial question was "what if you download a file, like a patch from bugzilla? How do you share your home directory without compromising your jail with an unintended backdoor?" Which is proposing a mechanism - sharing directories - to accomplish a result: viewing / modifying files in both places.

I accomplish this with a different mechanism. If I want the jail to view a file on the host, I copy it from the host to the jail. If I want the host to access a file on the jail, the host already has permission to do so. There's no route from the jail back out to the host.
 
You must log in or register to reply here.
Back
Top