Skip to main content

Isolating Graphical Software (Part 1)

I’ve really been missing the experience of Qubes OS, where all programs are properly isolated. However, I can’t install it on my daily driver because I use that machine for gaming. Instead, I’ve been exploring ways to approximate that isolation on a standard Linux setup.

Firefox Profiles

Let’s start with the browser. There are many privacy and security benefits to separating profiles. My general workflow is as follows:

  • I create separate .desktop files to run Firefox with different profiles. Each file uses a unique --name and StartupWMClass=. This prevents the icons from stacking together on the GNOME Panel.
  • I use ImageMagick to tint the icons so I can tell the profiles apart at a glance: magick input.png -colorspace gray -fill "#cc0000" -tint 100 output.png
  • The “new” Firefox profile manager didn’t work well for me. For example, I couldn’t set a default profile for opening external URLs. I eventually had to switch back to the old profile management style.

However, while this setup isolates cookies, it doesn’t isolate processes. A compromised Firefox instance could still theoretically access data from other profiles. For better security, I’m considering:

  1. Installing Firefox via Flatpak and launching multiple instances with different data directories.
  2. Installing entirely different browsers via Flatpak.

One challenge is that some configurations (like specific extensions) need to be synced across profiles, which isn’t always easy to automate.

Flatpak

Since Fedora Silverblue provides Flatpak by default, I gave it a try and really liked it. It feels similar to the application sandboxing on modern mobile phones. I can fine-tune permissions using Flatseal, though the default permissions are usually reasonable enough that I don’t have to.

There are only two real downsides: * It isn’t obvious or easy to launch multiple independent instances of the same application (like Firefox). * The Fedora repository isn’t very comprehensive, and I’m not quite ready to switch to the Flathub repository yet.

Podman

Podman is great for accessing a wider selection of packages, though it requires more manual work to configure permissions.

Wayland

Surprisingly, it isn’t difficult to allow a container to use the host’s Wayland display. Here is an example command:

podman run \
  --device /dev/dri:/dev/dri \
  --env=WAYLAND_DISPLAY="${WAYLAND_DISPLAY}" \
  --volume "${XDG_RUNTIME_DIR}/${WAYLAND_DISPLAY}":/run/wayland-0:z \
  ...

However, this does require some SELinux configuration, which I’ll cover below.

SELinux

Podman supports SELinux, and the :z and :Z volume flags are useful in many cases. However, they don’t work well for shared resources like Wayland sockets or network shares.

I used udica to analyze container images and generate custom SELinux types. It isn’t perfect, for instance, it doesn’t automatically detect and allow Unix sockets, but it provides a solid base configuration.

This is where I learned about SELinux CIL (Common Intermediate Language). Standard SELinux doesn’t strictly allow “inheritance,” but CIL files make it possible to define a container that behaves like a standard container while adding specific permissions (like talking to /dev/vsock). For more on this, check out this customization guide.

By using udica, audit2allow, and semodule, I defined a custom SELinux type (e.g., my-type) for my container. Now, I just run the container with: --security-opt label=type:my-type.process.

Security-Focused Runtimes

Generally, standard containers aren’t considered a “hard” security boundary. There are security-focused runtimes like gVisor and Kata Containers, but gVisor isn’t ideal for graphical programs, and Kata uses VMs. Since my daily driver is already a VM, I want to avoid the performance hit of nested virtualization.

Virtual Machines

For serious isolation, a VM is the gold standard. Since my daily driver is a VM with GPU passthrough, I decided that instead of nesting, the daily driver should coordinate with the host to launch headless VMs and render the graphics back to the daily driver.

I also wanted to experiment with microVMs, which seem perfect for this. I looked into several options:

Kata Containers is appealing because it supports OCI images. Theoretically, I could run podman inside my VM to control a podman socket on the host. libvirt might offer a similar path.

However, I want to stick to the official Debian repositories and keep my host installation as minimal as possible. Currently, my host is just a bare-bones Debian install with QEMU.

Ultimately, I decided to see how far I could get with QEMU microvm. After a few days of tinkering, I have a working prototype. In the next post, I’ll share the details of that setup.

Labels:

Comments

Post a Comment

Popular posts from this blog

Exploring Immutable Distros and Declarative Management

My current server setup, based on Debian Stable and Docker, has served me reliably for years. It's stable, familiar, and gets the job done. However, an intriguing article I revisited recently about Fedora CoreOS, rpm-ostree, and OSTree native containers sparked my curiosity and sent me down a rabbit hole exploring alternative approaches to system management. Could there be a better way? Core Goals & Requirements Before diving into new technologies, I wanted to define what "better" means for my use case: The base operating system must update automatically and reliably. Hosted services (applications) should be updatable either automatically or manually, depending on the service. Configuration and data files need to be easy to modify, and crucially, automatically tracked and backed up. Current Setup: Debian Stable + Docker My current infrastructure consists of several servers, all running Debian Stable. System Updates are andled automatically via unattended-upgrades. Se...
Post a Comment
Read More »

A Rocky Migration: Moving from docker-compose to Podman and gVisor

I've been running a few containers for several years. They were all running under rootless Docker with a single user. Initially, I planned to  migrate the containers to VMs , but I couldn't get a stable workflow after about two months of effort. Later,  gVisor caught my attention , and I decided to migrate to Podman with gVisor instead. The new plan is to run each container with  --userns=auto  and use Quadlet for systemd integration. This approach provides better isolation and makes writing firewall rules easier. I'm now close to migrating all my containers. Here are a couple of rough edges I'd like to share. Network Layout I compared  various networking options  and spent a few hours trying the one-interface-per-group approach before giving up. I settled on a single macvlan network and decided to use static IP addresses for my containers. To prevent a randomly assigned IP address from conflicting with a predefined one, I allocated a large IP range for my ...
Post a Comment
Read More »

Determine Perspective Lines With Off-page Vanishing Point

In perspective drawing, a vanishing point represents a group of parallel lines, in other words, a direction. For any point on the paper, if we want a line towards the same direction (in the 3d space), we simply draw a line through it and the vanishing point. But sometimes the vanishing point is too far away, such that it is outside the paper/canvas. In this example, we have a point P and two perspective lines L1 and L2. The vanishing point VP is naturally the intersection of L1 and L2. The task is to draw a line through P and VP, without having VP on the paper. I am aware of a few traditional solutions: 1. Use extra pieces of paper such that we can extend L1 and L2 until we see VP. 2. Draw everything in a smaller scale, such that we can see both P and VP on the paper. Draw the line and scale everything back. 3. Draw a perspective grid using the Brewer Method. #1 and #2 might be quite practical. #3 may not guarantee a solution, unless we can measure distances/p...
3 comments
Read More »