RFC: new namespae based security extension
Enrico Weigelt, metux IT consult
info at metux.net
Tue Mar 11 18:02:50 UTC 2025
Hello folks,
I'd like to let you know I'm working on a new Xserver extension that's
putting clients into different "namespaces", so they can be isolated
from each other.
The idea is a bit similar to Linux namespaces (containers), where
processes inside a container can operate quite like they've been alone
on the machine. XNS extension goes a similar way: clients of different
namespaces cant see/touch each other (except for those in parent NS'es)
In contrast to the old Xsecurity extension, XNS tries to emulate
prohibited things in a way that the client doesn't even recognize.
(several existing clients crashing when running unprivileged on
Xsecurity, since they're not expecting certain operations being
refused).
One of many practical use cases I'm planning for the future is mobile
applications (eg. "smartphones").
For now everything's still WIP, very early state, not practically usable
yet (at least it's not crashing anything ;-)). There's still a lot to
do, but I'm moving step by step.
https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1865
Feel free to comment in the MR :)
have fun,
--mtx
--
---
Hinweis: unverschlüsselte E-Mails können leicht abgehört und manipuliert
werden ! Für eine vertrauliche Kommunikation senden Sie bitte ihren
GPG/PGP-Schlüssel zu.
---
Enrico Weigelt, metux IT consult
Free software and Linux embedded engineering
info at metux.net -- +49-151-27565287
More information about the xorg-devel
mailing list