Xorg GUI isolation

Hi guys,

I’m currently using Arch Linux and I’m looking to fix the Xorg keylogger issue which exists so my machine can be free of this & secure. I noticed that Qubes does in fact prevent this and I’d like to port this to my existing machine.

I’ve read a bit of documentation but I’m not sure of the exact extent of this yet and can’t find anything specific anywhere about what specific packages fix this problem.

I suppose first of all, is it even possible to bring the xorg fixes you have to Arch Linux? Or would there be too many dependencies and is it integrated too tightly? From what I can see so far it seems like this may be the case.

If I can integrate it, does anyone have a list of packages that are actually involved in JUST the GUI isolation on Xorg which I could try to make some PKGBUILDS from? I’d really love to be able to get this fix into my machine if possible as I think it would make a big difference.

Thanks in advance.

It’s not something that’s fixable by making changes on top of Xorg. The general idea is to orchestrate running independent Xorg servers for all the things that you want to isolate from each other, and having all these “virtual” Xorg servers talk (in a carefully restricted way, via the “GUI protocol”) to one central Xorg server hooked up to your hardware.

Here’s how that works in Qubes OS:

The GUI protocol implementation is tied to Xen.

On a plain Linux system, firejail --x11 might be a more practical / weaker version of this kind of approach:



Thanks for your reply.

That’s interesting and thanks - it was one of the reasons I didn’t really want to use Xephyr as I didn’t want loads of X servers running. My other issue with Firejail + Xephyr is more of a design one as I don’t want to have to run every program that way or specifically have to launch a program like that for it to work, I want every program to just sandbox by default.

So judging by that article, it does indeed sound very tightly integrated. I suppose given the circumstances it may well be the best bet but I did already try that method and it didn’t stop X being able to listen to other windows.

The GUI protocol implementation is tied to Xen.

To be honest, I wouldn’t mind including Xen if it solved the keyboard logging issue. I was thinking about some kind of VM functionality on my machine anyway if I’m honest.

Well if you prefer to have this sandboxing enabled by default and you want to use the Qubes packages implementing it and you like Xen-based VMs too… there’s an existing OS that would seem to fit the bill :wink:

Btw it’s possible to use Arch Linux in TemplateVMs.