Sandboxing X11 OpenGL applications in nested X11

i.Dark_Templar darktemplar at dark-templar-archives.net
Thu Jul 23 12:57:09 UTC 2020


Hi.

I want to try sandboxing some X11 applications in nested X11 sessions,
effectively preventing sandboxed application from accessing parent X11
session.
I've tried using Xnest and Xephyr. First one doesn't support OpenGL at
all, second one only uses software implementation. Unfortunately, for
some applications that is not enough.

I've seen VirtualGL project. I didn't test if using Xephyr + VirtualGL
would be enough. VirtualGL's setup looks to me quite invasive.

Is there a way to run nested X11 session with full hardware-accelerated
OpenGL(+Vulkan) support on Linux that I missed?

Is there a reason for Xephyr, for example, to support only software
rendering OpenGL besides hardware rendering support not being
implemented yet?

If there are no blocks for implementing such support in Xephyr, where
should one start looking into source code considering almost
non-existent experience with coding/patching X11?


More information about the xorg mailing list