Harden and secure browsers in containers, with GUI

Harden and secure browsers in containers, with GUI(crlf.link)

58 points by croqaz 4 years ago | 31 comments

raesene9 4 years ago |

Now that WSLg support (https://github.com/microsoft/wslg) has landed in a release version of windows, another approach to this is to create new WSL distros for specific tasks, and run browsers from them.

Whilst it's a VM, I've found start-up time for WSL instances to be pretty quick, and it's pretty easy to create and clone a template VM (one approach https://raesene.github.io/blog/2020/05/31/Custom_Pentest_Dis... )

easygenes 4 years ago | |

I tried doing some full-screen 3D engine development in SDL through WSL2 early this year, and stood up an X server for it. It didn't go well, so I blew away the WSL and tried running VMware Workstation 16. That was okay, but performance was surprisingly poor. I did some Googling and came to suspect that Hyper-V was the culprit. It was difficult, but I managed to extricate Hyper-V from my system and run the VMware Hypervisor instead. Performance is much better now and I don't have any complaints. Now I'm wondering how this graphical WSL setup compares though. Any experience using VMware Workstation to compare it?

pjmlp 4 years ago | | |

I have used SDL on Windows with VC++ since 20 years now, so why bother at all with WSL?

mkl 4 years ago | |

What is the RAM usage like? Does it reserve a big block?

raesene9 4 years ago | | |

Doesn't seem to bad, but I'm running on a desktop with 64GB, so I tend not to notice :)

A quick check there shows the vmmem process on my machine is sitting at 1.3GB with one WSL distribution started, which doesn't seem too bad.

easygenes 4 years ago |

I was just looking into various approaches to use process isolation for security on the desktop in Linux.

Containers within VMs are a norm for security in cloud-native [1]. Some lessons there could be applied to desktop.

One option is the approach of Spectrum OS [2]. They use crosvm (same as what Firecracker "micro VMs" uses) and virtio_wl [3][4].

Another approach might be x11docker [5] with Kata Containers [6].

Curiously, the work for WSLg (WSL with graphics) [7][8] to support graphical Linux guest VMs could also be applied on a Linux host.

  1: https://archive.fosdem.org/2020/schedule/event/kernel_address_space_isolation/attachments/slides/3889/export/events/attachments/kernel_address_space_isolation/slides/3889/Address_Space_Isolation_in_the_Linux_Kernel.pdf
  2: https://spectrum-os.org/
  3: https://spectrum-os.org/design.html
  4: https://alyssa.is/using-virtio-wl/
  5: https://github.com/mviereck/x11docker
  6: https://katacontainers.io
  7: https://github.com/microsoft/wslg
  8: https://xdc2020.x.org/event/9/contributions/611/attachments/702/1298/XDC2020_-_X11_and_Wayland_applications_in_WSL.pdf

thefr0g 4 years ago | |

> Another approach might be x11docker [5] with Kata Containers [6].

Why all the complexity? Just qemu/kvm and xpra, waypipe, whatever would be way simpler and in turn have way smaller of an attack surface. Same if you don't need virtualisation, just use bubblewrap instead of docker etc. It will even give you more fine grained control and you can just use your distributions package manager to keep everything up to date.

easygenes 4 years ago | | |

Also, xpra and waypipe are developed with the intent of being used remotely. They do not have any zero-copy provisions to reduce latency and overhead on local-only applications, like you would get with at least the virtio_wl and WSLg approaches.

easygenes 4 years ago | | |

As mentioned to open, containers within VMs are a security standard for cloud-native when security is critical.

x11docker is just a (very convenient) security layer for containers which need to expose graphics (and possibly webcam, audio, networking, clipboard, printers...). Kata Containers are just "micro VMs" where you spin up a separate kernel to drop the container into.

Bubblewrap is okay if you trust your kernel, but locking the app away in its own VM with its own kernel gives another layer to bust through.

gigatexal 4 years ago |

I love this idea but it's broken a bit if webcams and mics can't be used at least for my use-case. If I had some time I'd look into extending that with this project.

mfontani 4 years ago | |

For the (few) docker-based browser containers I use, I simply bind-mount[1] the relative devices and (in Chrome) it all just works.

For Chrome inside a container, I also install the Google Talk plug-in. Unsure if that's still required, but things work well.

[1]: i.e. "--group-add plugdev", "--device /dev/hidraw4", "--device /dev/video4", "--device /dev/snd", "--device /dev/sri" and similar

gigatexal 4 years ago | | |

I almost don't want to ask as I know the answer is likely to be not great but can this also be done on mac?

fsflover 4 years ago | |

Have a look at Qubes OS then : https://qubes-os.org. It's even more secure (hardware VT-d virtualization), with a nice gui and allows to use webcams and microphones securely.

krageon 4 years ago | | |

No GPU acceleration which makes it (as understandable as the choice is) kind of a pain to use.

usr1106 4 years ago | |

Pulseaudio has network support. You should be able to share your microphone. Of course you need to run pulseaudio inside the container, too. So it's no longer an application container, but a system container.

I used system containers in the past, they are not always easy. No idea whether it would work with podman.

Now that I think about it: The browser obviously uses the display of the host. How? Only over X11 network protocol? That worked in the past, does it still work today? I thought modern browsers would need /dev/dri/? If that is made available, why would Webcams not be possible?

thefr0g 4 years ago | | |

> Only over X11 network protocol?

If you read the examples you'll see that they mount /tmp/.X11-unix in the container, thats where the X-Sessions Unix domain socket is. You can do the same for pulseaudio. But you shouldn't. Use Wayland and Pipewire if you are actually interested in using this as a security measure, since they are built for sandboxing.

> I thought modern browsers would need /dev/dri/?

They only need it for hw-acceleration. You can also give the container access to it if you need that.

Gargyle 4 years ago |

X Display Access ~ RCE

Arnavion 4 years ago | |

You can mount the socket and xauthority of a xephyr window instead of your root X server.

shameless_plug 4 years ago |

Some time ago I have done something similar: https://github.com/grzegorzk/ff_in_podman It's interesting to see, that hardened browser executed from container is actually quite unique setup (and hence, in a way, easy to spot unless many people are using same setup).

0xdeadb00f 4 years ago |

Containers do not offer the amount of security people think they do