Hacker News new | past | comments | ask | show | jobs | submit login
Harden and secure browsers in containers, with GUI (crlf.link)
58 points by croqaz 3 months ago | hide | past | favorite | 31 comments

Now that WSLg support (https://github.com/microsoft/wslg) has landed in a release version of windows, another approach to this is to create new WSL distros for specific tasks, and run browsers from them.

Whilst it's a VM, I've found start-up time for WSL instances to be pretty quick, and it's pretty easy to create and clone a template VM (one approach https://raesene.github.io/blog/2020/05/31/Custom_Pentest_Dis... )

I tried doing some full-screen 3D engine development in SDL through WSL2 early this year, and stood up an X server for it. It didn't go well, so I blew away the WSL and tried running VMware Workstation 16. That was okay, but performance was surprisingly poor. I did some Googling and came to suspect that Hyper-V was the culprit. It was difficult, but I managed to extricate Hyper-V from my system and run the VMware Hypervisor instead. Performance is much better now and I don't have any complaints. Now I'm wondering how this graphical WSL setup compares though. Any experience using VMware Workstation to compare it?

I have used SDL on Windows with VC++ since 20 years now, so why bother at all with WSL?

I do basically all my development in Linux. I just wanted to be able to also do some of that work on a particular Windows system sometimes.

Fair enough,

although cmake + vcpkg + vc work just fine, it even does up to C17 if that is more your thing (minus optional annexes).

What is the RAM usage like? Does it reserve a big block?

Doesn't seem to bad, but I'm running on a desktop with 64GB, so I tend not to notice :)

A quick check there shows the vmmem process on my machine is sitting at 1.3GB with one WSL distribution started, which doesn't seem too bad.

I was just looking into various approaches to use process isolation for security on the desktop in Linux.

Containers within VMs are a norm for security in cloud-native [1]. Some lessons there could be applied to desktop.

One option is the approach of Spectrum OS [2]. They use crosvm (same as what Firecracker "micro VMs" uses) and virtio_wl [3][4].

Another approach might be x11docker [5] with Kata Containers [6].

Curiously, the work for WSLg (WSL with graphics) [7][8] to support graphical Linux guest VMs could also be applied on a Linux host.

  1: https://archive.fosdem.org/2020/schedule/event/kernel_address_space_isolation/attachments/slides/3889/export/events/attachments/kernel_address_space_isolation/slides/3889/Address_Space_Isolation_in_the_Linux_Kernel.pdf
  2: https://spectrum-os.org/
  3: https://spectrum-os.org/design.html
  4: https://alyssa.is/using-virtio-wl/
  5: https://github.com/mviereck/x11docker
  6: https://katacontainers.io
  7: https://github.com/microsoft/wslg
  8: https://xdc2020.x.org/event/9/contributions/611/attachments/702/1298/XDC2020_-_X11_and_Wayland_applications_in_WSL.pdf

> Another approach might be x11docker [5] with Kata Containers [6].

Why all the complexity? Just qemu/kvm and xpra, waypipe, whatever would be way simpler and in turn have way smaller of an attack surface. Same if you don't need virtualisation, just use bubblewrap instead of docker etc. It will even give you more fine grained control and you can just use your distributions package manager to keep everything up to date.

Also, xpra and waypipe are developed with the intent of being used remotely. They do not have any zero-copy provisions to reduce latency and overhead on local-only applications, like you would get with at least the virtio_wl and WSLg approaches.

I didn't know virtio_wl, it looks pretty neat. WSLg doesn't seem to have too much focus on sandboxing and only works on windows :(

Well, in the case of WSLg the sandbox is WSL itself (and you can spin up multiple different ones, though they'd hardly qualify as micro VMs). The only part that "only works on Windows" is the RDP client. The rest is specifically developed for Linux and open source. The backend is an extension of FreeRDP, so presumably the FreeRDP client would be just fine on Linux.

> The only part that "only works on Windows" is the RDP client.

Ah ok, I thought they have an X server running under windows, but apparently not. (Was that in some previous version? I remember reading that.)

> so presumably the FreeRDP client would be just fine on Linux.

Memory sharing would need support by the hypervisor I guess, that probably means hacking FreeRDP, rdp-wayland-backend and the hypervisor :\

I haven't really looked at this yet: https://github.com/microsoft/weston-mirror/tree/working/libw...

Edit: This is the most interesting commit: https://github.com/microsoft/weston-mirror/commit/f590a956c3...

Search for "shared" and "gfxredir"

As mentioned to open, containers within VMs are a security standard for cloud-native when security is critical.

x11docker is just a (very convenient) security layer for containers which need to expose graphics (and possibly webcam, audio, networking, clipboard, printers...). Kata Containers are just "micro VMs" where you spin up a separate kernel to drop the container into.

Bubblewrap is okay if you trust your kernel, but locking the app away in its own VM with its own kernel gives another layer to bust through.

> x11docker is just a (very convenient) security layer for containers which need to expose graphics (and possibly webcam, audio, networking, clipboard, printers...). Kata Containers are just "micro VMs" where you spin up a separate kernel to drop the container into.

Yeah, thats what I meant, you can just use kvm and your gui/audio/etc. stuff directly instead of having all the unnessecary complexity and dependency those layers bring along.

> Bubblewrap is okay if you trust your kernel

Thats why I proposed it for when you don't need virtualisation. You can ofc also use it in a VM to further restrict processes.

x11docker is really just a ~10K lines bash script. You'd just be reinventing or copying parts of it.

Kata or crosvm are kind of the only games in town as far as "micro VMs" go.

I love this idea but it's broken a bit if webcams and mics can't be used at least for my use-case. If I had some time I'd look into extending that with this project.

For the (few) docker-based browser containers I use, I simply bind-mount[1] the relative devices and (in Chrome) it all just works.

For Chrome inside a container, I also install the Google Talk plug-in. Unsure if that's still required, but things work well.

[1]: i.e. "--group-add plugdev", "--device /dev/hidraw4", "--device /dev/video4", "--device /dev/snd", "--device /dev/sri" and similar

I almost don't want to ask as I know the answer is likely to be not great but can this also be done on mac?

If they're USB devices, you can try tweaking the docker-machine VM definition in whatever hypervisor your Mac uses, so that the devices are mounted directly in the VM and are thus available to containers.

of course! that's a good idea.

Have a look at Qubes OS then : https://qubes-os.org. It's even more secure (hardware VT-d virtualization), with a nice gui and allows to use webcams and microphones securely.

No GPU acceleration which makes it (as understandable as the choice is) kind of a pain to use.

It's fast enough for all normal tasks in my experience. Also, you can make a GPU passthrough.

Pulseaudio has network support. You should be able to share your microphone. Of course you need to run pulseaudio inside the container, too. So it's no longer an application container, but a system container.

I used system containers in the past, they are not always easy. No idea whether it would work with podman.

Now that I think about it: The browser obviously uses the display of the host. How? Only over X11 network protocol? That worked in the past, does it still work today? I thought modern browsers would need /dev/dri/? If that is made available, why would Webcams not be possible?

> Only over X11 network protocol?

If you read the examples you'll see that they mount /tmp/.X11-unix in the container, thats where the X-Sessions Unix domain socket is. You can do the same for pulseaudio. But you shouldn't. Use Wayland and Pipewire if you are actually interested in using this as a security measure, since they are built for sandboxing.

> I thought modern browsers would need /dev/dri/?

They only need it for hw-acceleration. You can also give the container access to it if you need that.

X Display Access ~ RCE

You can mount the socket and xauthority of a xephyr window instead of your root X server.

Some time ago I have done something similar: https://github.com/grzegorzk/ff_in_podman It's interesting to see, that hardened browser executed from container is actually quite unique setup (and hence, in a way, easy to spot unless many people are using same setup).

Containers do not offer the amount of security people think they do

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact