undefined | Better HN

0 pointssprash5y ago0 comments

> I'm honestly surprised no one has just tried to make it so you can "firewall" X11 programs

This can be done via firejail[1] + xpra/xephyr but is a rather cumbersome endeavor. The X11 standard also contains access control hooks that allow you to "firewall" any aspect of your application. However it is used by no application I personally know of and is rendered useless by how the xinput mechanism is implemented at this point.

The reason nobody bothered to deal with this so far is that people almost never run untrusted software on FOSS systems which is what X11 primarily targets. There was no demand.

1.: https://firejail.wordpress.com/documentation-2/x11-guide/

0 comments

4 comments · 1 top-level

cycloptic5y ago· 3 in thread

The demand there would be with products like Qubes and Subgraph, which are currently using Xephyr and Xpra. Eventually Wayland should be able to improve performance there, and bring some of the security benefits of those setups to other distributions.

jude-5y ago

Seems to me that firewalling X11 programs from one another would take a lot less work and be a lot less disruptive than requiring users to run multiple VMs with multiple X11 servers and/or replace the whole graphics stack.

tux19685y ago

Trying to shoehorn proper security into X11 would be a formidable effort and still be quite disruptive to client software.

Back when Wayland was just being proposed there were not a lot of developers working on X. They almost-unanimously agreed that it was time to break with backward compatibility and eject a lot of cruft that had built up over the years, such as the horrible font handling. Modern toolkits had already started moving away from using many of these X11 facilities and were doing much more client side anyway. So the argument was that a relatively clean slate design was called for which should dispense with the cruft and better handle client-side rendering.

It's not perfect and I know it is disruptive for some people, but at least here it has led to a much better experience for some years now.

1 more reply

cycloptic5y ago

Maybe that's true if that's your only concern, but there are other reasons to replace X11 than just this.

Also, X11 is arguably not the whole graphics stack, at this point the DRM/Mesa piece is much larger and more significant, and Wayland doesn't replace it outright anyway -- it makes it optional if needed for backwards compatibility, in the same way that macOS has XQuartz.

1 more reply

j / k navigate · click thread line to collapse