Hacker News new | ask | show | jobs
by easygenes 1704 days ago
I was just looking into various approaches to use process isolation for security on the desktop in Linux.

Containers within VMs are a norm for security in cloud-native [1]. Some lessons there could be applied to desktop.

One option is the approach of Spectrum OS [2]. They use crosvm (same as what Firecracker "micro VMs" uses) and virtio_wl [3][4].

Another approach might be x11docker [5] with Kata Containers [6].

Curiously, the work for WSLg (WSL with graphics) [7][8] to support graphical Linux guest VMs could also be applied on a Linux host.

  1: https://archive.fosdem.org/2020/schedule/event/kernel_address_space_isolation/attachments/slides/3889/export/events/attachments/kernel_address_space_isolation/slides/3889/Address_Space_Isolation_in_the_Linux_Kernel.pdf
  2: https://spectrum-os.org/
  3: https://spectrum-os.org/design.html
  4: https://alyssa.is/using-virtio-wl/
  5: https://github.com/mviereck/x11docker
  6: https://katacontainers.io
  7: https://github.com/microsoft/wslg
  8: https://xdc2020.x.org/event/9/contributions/611/attachments/702/1298/XDC2020_-_X11_and_Wayland_applications_in_WSL.pdf
1 comments
thefr0g 1704 days ago
> Another approach might be x11docker [5] with Kata Containers [6].

Why all the complexity? Just qemu/kvm and xpra, waypipe, whatever would be way simpler and in turn have way smaller of an attack surface. Same if you don't need virtualisation, just use bubblewrap instead of docker etc. It will even give you more fine grained control and you can just use your distributions package manager to keep everything up to date.

link
easygenes 1704 days ago
Also, xpra and waypipe are developed with the intent of being used remotely. They do not have any zero-copy provisions to reduce latency and overhead on local-only applications, like you would get with at least the virtio_wl and WSLg approaches.
link
thefr0g 1704 days ago
I didn't know virtio_wl, it looks pretty neat. WSLg doesn't seem to have too much focus on sandboxing and only works on windows :(
link
easygenes 1704 days ago
Well, in the case of WSLg the sandbox is WSL itself (and you can spin up multiple different ones, though they'd hardly qualify as micro VMs). The only part that "only works on Windows" is the RDP client. The rest is specifically developed for Linux and open source. The backend is an extension of FreeRDP, so presumably the FreeRDP client would be just fine on Linux.
link
thefr0g 1704 days ago
> The only part that "only works on Windows" is the RDP client.

Ah ok, I thought they have an X server running under windows, but apparently not. (Was that in some previous version? I remember reading that.)

> so presumably the FreeRDP client would be just fine on Linux.

Memory sharing would need support by the hypervisor I guess, that probably means hacking FreeRDP, rdp-wayland-backend and the hypervisor :\

link
easygenes 1704 days ago
I haven't really looked at this yet: https://github.com/microsoft/weston-mirror/tree/working/libw...

Edit: This is the most interesting commit: https://github.com/microsoft/weston-mirror/commit/f590a956c3...

Search for "shared" and "gfxredir"

link
easygenes 1704 days ago
As mentioned to open, containers within VMs are a security standard for cloud-native when security is critical.

x11docker is just a (very convenient) security layer for containers which need to expose graphics (and possibly webcam, audio, networking, clipboard, printers...). Kata Containers are just "micro VMs" where you spin up a separate kernel to drop the container into.

Bubblewrap is okay if you trust your kernel, but locking the app away in its own VM with its own kernel gives another layer to bust through.

link
thefr0g 1704 days ago
> x11docker is just a (very convenient) security layer for containers which need to expose graphics (and possibly webcam, audio, networking, clipboard, printers...). Kata Containers are just "micro VMs" where you spin up a separate kernel to drop the container into.

Yeah, thats what I meant, you can just use kvm and your gui/audio/etc. stuff directly instead of having all the unnessecary complexity and dependency those layers bring along.

> Bubblewrap is okay if you trust your kernel

Thats why I proposed it for when you don't need virtualisation. You can ofc also use it in a VM to further restrict processes.

link
easygenes 1704 days ago
x11docker is really just a ~10K lines bash script. You'd just be reinventing or copying parts of it.

Kata or crosvm are kind of the only games in town as far as "micro VMs" go.

link