Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

You could use a proxy server (regardless of the protocol), which might improve security (and other things) better than other methods do, I think.

There are problems with both X11 and Wayland, although I dislike some of the features of Wayland.



Yeah, with Qubes that's exactly what they do. I forget what the software is called, but they use an X11 proxy that tries to enforce policy.

That said though, that does require you to proactively run every X application with this sandboxing. For Qubes which forces everything into VMs this is doable, but for most other systems there isn't an obvious way to handle this sort of thing.

My only major complaint about Wayland that can't just be fixed relatively easily is Mutter refusing to support SSD. (Well, the actual technical problem could be fixed relatively easily, but the social one not so much.)


Firejail uses nested X11 servers like xeohyr or xrdp to restrict application access to the primary X11.


Hmm, I thought it was Xephyr but I was wrong. It looks like Qubes actually does something even more involved:

https://doc.qubes-os.org/en/latest/developer/system/gui.html

This makes sense though, given the way clipboard works in Qubes. I think I must've entirely mistaken how Qubes works for an entirely different scheme.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: