Xorg isolation

[Christopher Marshall]

Hi

I'm running Arch Linux and trying to fully isolate Xorg and I would really
appreciate any input, hints, tips, suggestions etc or advice you could
provide as to the security of what I'm proposing for my setup. I really
appreciate your time as I'm aware you probably get asked this question a
lot.

I'm already running rootless xorg using SDDM - although I'm working on a
couple of bugs still such as a black screen for a while on login.

My idea is to use Firejail to individually isolate programs using Xephyr
and prevent them from talking to the main server using things also built
into FireJail such as seccompf.

Second, I'd like to FireJail the main Xorg server, so that only approved
means can access it (namely keyboard, mouse, screen, Xephyr - anything
missing from this list?) and stop it from accessing the internet or other
parts of the network or clients which are not running in Xephyr. My idea
behind this is that if Xorg is not running as root and it's jailed in
FireJail there should be no way for it to access or do anything
harmful/damaging even in the event of zero-day vulnerabilities.

I'd also like to use namespaces here on the main server to ensure things
are a bit more strict and isolated.

Third, when initiating Xorg, I'd initiate with a command such as: *Xorg
-nolisten tcp -nolisten inet -nolisten inet6 -listen unix -nolisten local
:0 -seat seat0 vt7 -novtswitch*

Which should turn off listening on all sockets other than those on the
local machine - helping to further isolate the network element of it.

In my opinion from what I've read this should nullify most of the security
threats from Xorg but would really appreciate an opinion from someone with
much deeper experience than me?

Really appreciate your time.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.x.org/archives/xorg/attachments/20230122/2adc12fb/attachment.htm>