Desktop privacy & security of web browsers on Linux part 1: concepts and theory
nexlab.netImproving Linux desktop security beyond "if you PWN one program, you PWN the whole desktop session" is going to be hard. X11 has no separation, so talking about this really only makes sense when using Wayland, which is no where near default yet.
A problem with this particular approach is that chrome-trusted for example will no longer have access to the session's DBus, so it cannot show any notifications for example. And DBus, like X11, does not provide any separation right now as far as I'm aware (it has support for authentication, but in practice, `external` is used most of the time which is based on UID).
The only variant that might provide a real security benefit here is the -paranoid one, as that those not share the X11 server session.
Have you read the post?
Yes, X11 has no separation, but you can use multiple X11 isolated sessions, like i do in this config i'm explaining in this post.
ok, you readed it and awhere of the -paranoid with xpra. Great. anyway, there is no way to obtain perfect security, this is just a little improvements as I explained.
Doesn't wayland take care of many of these concerns?
No, it doesn't.
Wayland have some advantages but also some disadvantages, and it isn't yet really mature.
Also, wayland, on the sandbox side, doesn't do anything special. As it's just a lot simple than X and does pretty anything except copy a buffer on the screen, it just delegate all IPC and rendering to the compositor, then, in the wayland world, the security issues of X11 are moved on the compositor instead to stay on the X server, but the issue are the same and the compositor must consider them.
( anyway, for sure fix those issues in a compositor is easier and consume less resources than on X11, and then the wayland world is better from this point of view. But i don't think it's yet enough mature, and many WM/DE doesn't yet support it or support it only partially )
I know it is very immature (basically unusable in most cases), but my understanding was that it would be easier to fix these issues moving forward because of the design decisions taken in Wayland. You response seems like a tentative affirmation of that, which is encouraging to me (for whenever I can actually used it).
This is pretty much what Firejail [1] does (except the page trust level) and using it is fairly straight forward. I had some issues running separate X server though (as far as I know, this is still more or less experimental feature).
yes, this isn't anything new, just an example setup of firejail and some sugar added.
Does someone run similar setup but with xpra + vm? Is it usable?
not for sandboxing reasons, but i've used kvm + xpra for other things. It's usable, but of course the vm need a lot more resources