I use ssh -X [1] since it runs the application as an untrusted client, not able to interact with or manipulate or sniff from other windows. ssh -Y is the trusted equivalent.
Might I assume that the approach in the article gives processes in the container full access to one's X11 session and contents?
Share your X11 socket/cookie, and now everything you input (keyboard/mouse,etc.) is readable by a so called "contained" application; this is not a secure solution, but more of a comfort solution, and it should be used as such.
On a side note, I've been doing this with chroot/debootstrap for years, but lxc/docker provide a nice "engineered" solution.
While I think this is cool, could someone explain to me why I'd bother using a docker setup over let's say a... traditional VM? And I don't need justification for using containers on a server, that makes sense... on a desktop though something just seems off.
Seems like there's little to gain and a lot to configure/worry about with the Docker setup. Happy to be learned somethin' ... just would like to know what that somethin' is.
* You can run different versions of program side-by-side: FF 32 in one window, and FF 31 in another to test compatibility and regression.
* You can install programs without polluting your base system. I don't want to have Java installed, but sometimes I just need to run an applet.
All of that can be achieved with traditional VM, but with the performance penalty. As Docker runs on top of the native kernel, speed should be comparable to the application running directly on host.
My guesses are speed - not that relevant if you are interacting with an app that is waiting for user input - and memory usage.
In a traditional VM, you have to reserve memory that is used by the guest OS and the apps you want to run, and is unavailable as soon as the VM comes up.
Docker is incredibly lightweight in comparison. Also, you can move your development environment around, same way you would move a VM disk around. That requires less resources, again, as there is no OS install.
Docker is based on Linux namespaces.
The first thing which comes to mind is that Docker does not use user namespaces. Hence, the root within Docker is the same root as on the host side. Of course Docker papers over the issue by using apparmor and other tricks but this does not cure the issue itself.
Linux containers (LXC, libvirt-lxc, Docker) are shared kernel visualization. Every single kernel vulnerability will hit you hard.
In contrast to LXC and libvirt-lxc Docker lets you configure a lot of insane setups which are not secure. (But easy to setup)
Also keep in mind resource issues. If you setup your container in a wrong way
it my eat all your available file descriptors, all memory, etc...
(Because it is shared kernel)
Let's face it, the whole technology was not designed for sandboxing, more for
easy deployment of applications.
That said, I really love container and use them a lot in production with libvirt-lxc.
But I don't use them for sandboxing.
Skype, for example, can be run inside a container [1], allowing you to use it while hiding the rest of your system from the obfuscated and traffic-encrypted binary which no one knows what it does to your system.
It uses X11 forwarding for the GUI, and PulseAudio for the sound.
The thing that made me finally uninstall it (from everything) is when my phone OS (MIUI) informed me that Skype wanted to suddenly take a photo of me even though I hadn't touched the app for days.
This Skype use case really interests me a lot, as I have to use it professionally and do not trust this application at all and would like to limit it to a bare minimum: microphone, webcam, screen and one single folder for file exchange.
I never tried Docker, but I wonder, if this requirements can be achieved with SeLinux or AppArmor as they are supported by many distributions and are around longer than Docker?
Would be great to be able to tighten the corset around any non open-source application, to make sure it is not siphoning data.
I'll note that X11 has practically no security and that windows can read contents from other windows, if you happen to be worried about that attack. Essentially, anything that is displayed can be read by anything.
You'd need some form of "X11 firewall" to be secure.
Might I assume that the approach in the article gives processes in the container full access to one's X11 session and contents?
[1]: SSH X11 forwarding