bsdnerds.org

GUI isolation in Linux

In most situations, Linux users don’t take the time to think about their system’s design, or their security layers installed by default.

And, usually, the security is severely influenced by the inexistence of GUI-level isolation, as it annuls all the desktop security one might have access to.

Therefore, if you use two GUI applications concomitantly, you won’t benefit from any type of isolation between the two, no matter if they are enabled via distinct user accounts. Not even SELinux cannot solved this.

The major problem here is the X sever architecture (X Window System) which was created solely thinking about the present, and overlooking the future needs of such systems.

It is designed to permit any GUI application to take control, while no bugs, or any other impediments are considered in the script.

Simply put: with a single app, all the user data might be compromised, as there is a wide door opened for malicious activities.

X Windows security

So, what are the main issues with GUI isolation on Linux?

  1. There is an issue with accessing a reliable forward and backward compatible and standardized API for GUI development purposes

  2. The architecture is somewhat insecure, even though you run a desktop GUI application under a distinct user, as the app can access any input events and even create screenshots of the

  3. A lack of a unified graphical toolkit or API to manage GUI isolation, as the majority of users have no access to system-wide font rendering settings or DPI

  4. Font rendering is quite a hassle because it requires a GUI library

  5. Because of the issues with GUI and GUI isolation, the system is prone to a sluggish response because of several problems with video acceleration or lack of it

  6. It might be attainable for some users to configure anything with the aid of GUI, but in some situations, users keep experiencing bugs and GUI isolation related problems

  7. In some cases, the GUI network manager in Linux comes with significant issues, such as the lack of possibility of creating PPPoE connections via Wi-Fi

  8. There is a constant lack of a clear depiction of all GUI application errors

  9. Some users complain that GUI toolkit is essential for their endeavours, as most use Linux for their development projects

  10. There is no access to sandbox for GUI usage, similar to Sandboxie in Windows

Therefore, the main problems with GUI isolation in Linux is the potential security issues that might occur, making the system vulnerable in front of threats.

Also, the majority of developers noted in forums that even though it is doable to use GUI toolkits in Linux, it comes with a lot of hassle and determination to overcome all the impediments that occur on the way.