I've been looking into options on how I can sandbox X applications: http://archive.is/3smrE
This is probably the most interesting, simplest, lightest option I've seen.
At first glance, it works. You can't snoop window events, you can't screenshot, and you can't go typing in another window. You can, however, read the copy buffer even as an untrusted X application.
I created two users, let's say firefox and firefoxnojs. I launched firefox with its own cookie under the firefox user. Then I launched firefox with its own cookie under the firefoxnojs user. Or at least, I tried to.
It just opened a new window in Firefox under the first user that launched.
This was really puzzling. No obvious link between the "firefox" and "firefoxnojs" users. Permissions in the home directories locked down. No dbus running. No sockets in /tmp.
xev -root doesn't show any kind of message passing. But digging further, it becomes clear that there is some kind of message passing happening over X. Even between two "untrusted" applications with different X authority cookies, instead of launching two firefoxes the one can communicate with the other.
Running truss (as root) on X confirmed this. It is message passing over X. I know the X spec is pretty huge, I just didn't know there was a "talk to your neighbor application" kind of feature.
Do any of you know more about this?
I don't think the method above will work for me. I think I'm going to have to do a Xephyr per firefox that I want to sandbox, allowing access by ownership of the X socket file. Just had no idea this could happen. I'd seen it on Linux before and never dug into it. I assumed it was some dbus magic. I really don't care for the feature. I am fairly sure it might also work for untrusted -> trusted which is concerning.
This is probably the most interesting, simplest, lightest option I've seen.
At first glance, it works. You can't snoop window events, you can't screenshot, and you can't go typing in another window. You can, however, read the copy buffer even as an untrusted X application.
I created two users, let's say firefox and firefoxnojs. I launched firefox with its own cookie under the firefox user. Then I launched firefox with its own cookie under the firefoxnojs user. Or at least, I tried to.
It just opened a new window in Firefox under the first user that launched.
This was really puzzling. No obvious link between the "firefox" and "firefoxnojs" users. Permissions in the home directories locked down. No dbus running. No sockets in /tmp.
xev -root doesn't show any kind of message passing. But digging further, it becomes clear that there is some kind of message passing happening over X. Even between two "untrusted" applications with different X authority cookies, instead of launching two firefoxes the one can communicate with the other.
Running truss (as root) on X confirmed this. It is message passing over X. I know the X spec is pretty huge, I just didn't know there was a "talk to your neighbor application" kind of feature.
Do any of you know more about this?
I don't think the method above will work for me. I think I'm going to have to do a Xephyr per firefox that I want to sandbox, allowing access by ownership of the X socket file. Just had no idea this could happen. I'd seen it on Linux before and never dug into it. I assumed it was some dbus magic. I really don't care for the feature. I am fairly sure it might also work for untrusted -> trusted which is concerning.