2f
shadow 2y ago

reasonable secure #linux app #isolation. here are the options.

#wayland

BEST OPTION for many situations

pros:

- x11 issue(s) fixed

--> input isolation

--> clipboard isolation

- gpu acceleration

- easy setup on wayland

cons:

- not virtual machine level isolation. eg filesystem and network are same

howto:

run wayland session as another user:

sudo runuser -l user2 -c 'mkdir ~/.cache/run; chmod

0700 ~/.cache/run && XDG_RUNTIME_DIR=~/.cache/run DISPLAY=:0

dbus-run-session -- startplasma-wayland'

#lxc

works, ui possible with x2goserver, x2goclient

pros:

- virtual machine level isolation

- linux distro can vary from host. eg install ubuntu on manjaro host

- difficulties. like ubuntu cannot install packages with default configurations because snapd doesnt work as expected

cons:

- gpu passthrough difficult, cannot even play youtube over 480p without dropping frames

#x11, different user

DO NOT USE

cons:

- by default isolation does not work

- can install keylogger (see xinput) with standard user permissions!

do not expect any isolation not su/sudo security

Reply to this note

Please Login to reply.

Discussion

2f
shadow 2y ago

bonus: flatpak

pros:

android style permission management

--> better isolation than apt, pacman, appimage etc.

cons:

- need to pay attention to permissions asked by each application