On Sat, Apr 05, 2014 at 12:45:53PM -0700, Russ Allbery wrote:
> If someone would write up a good step-by-step guide for how to isolate
> one's web browser in a VM running on the same host, so that you can still
> get reasonable display performance but have a real separation boundary
> between the web browser and the rest of the system, I for one would be
> extremely grateful. The same technique would work for things like Skype.
>
> I'm sure it's possible, but I don't know enough about the various
> virtualization systems to be able to figure it out quickly, and I've yet
> to get interested enough to spend several days figuring out a method.
By all means, I'd love that. This is where I got to.
Keith Packard assured me that running software in a nested X server like
Xephyr is a way to prevent them from accessing the outside X session,
and I considered it an interesting way of running skype, as a dedicated
user, after checking that my home dir permissions are sound.
Still, skype also wants access to hardware like a webcam, and I haven't
yet felt like putting in effort to audit udev rules, and figuring out
what having access to webcam hardware really allows one to do[1].
[1] Instinctively, that should only be "get images out of the webcam";
that wasn't the case for firewire[2]. Also, how is the LED light
next to my webcam wired? Can the webcam be turned on leaving the LED
switched off? [3]
[2] And I grew up thinking that video hardware would just drive some
video output, while nowadays on a Raspberry PI it'll read FAT
filesystems on an SD card, parse config files and boot the system.
[3] Anyway, there is no activity LED for the microphone. Can I have a
panel applet thingie which shows if some process is reading from a
microphone or webcam device?
Ciao,
Enrico
--
GPG key: 4096R/E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>
Attachment:
signature.asc
Description: Digital signature