Hello. I'm exploring possible methods to run OpenGL-enabled desktop applications in an isolated X server "sandbox", so that these applications cannot take over the main X server's mouse, keyboard, screen, etc, and have unrestricted access to the main's desktop and/or each other.
Traditionally, Xephyr is the solution, and the procedures are basically: (1) Run Xephyr in a seperate user, grant Xephyr permission to access the main X server to display itself as a window. (2) Run a GUI program is a seperate user, grant it permission to access Xephyr. Thus, the program can be completed isolated, but it does not support OpenGL, and not useful for 3D applications. So I turned to VirtualGL. Unfortunately, access to an 3D X server is required for VirtualGL to work. And since it's not possible to run multiple X servers on a single GPU, the only option is granting the access to the main X server to all VirtualGL-powered applications on the system. By doing so, the isolation between the main X server and the isolated X server becomes non-existent. Programs inside the sandbox will be able take control of the main X server. I wonder is it theortically possible to modify the codebase of VirtualGL to implement an additional privilege seperation? My basic idea is to modify the VirtualGL Faker - Instead of issuing OpenGL commands by accessing the 3D X server itself, it only passes these commands to a server via IPC. Only the Faker Server, running as a different user, has access to the 3D X server. In this way, a VirtualGL-powered 3D programs is completely seperated from the main 3D X server, providing a sandboxed graphics environment. It's also helpful in a shared 3D server, since users will not be able to access each other via the 3D X server. Is this a good/feasible idea? If it's feasible, how difficult will the implementation be? Thanks, Tom Li -- You received this message because you are subscribed to the Google Groups "VirtualGL User Discussion/Support" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/virtualgl-users/e83ca94b-6b5c-4890-9471-cc0d37cc04b5%40googlegroups.com.
