Separate (some) user applications from the operating system

arraybolt3 · January 13, 2026, 1:30am

Probably relevant if we do eventually create a Wayland proxy:

Decide which Wayland protocols to expose to guests

opened 04:11AM - 28 Feb 24 UTC

P: default affects-4.3 C: Wayland

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) ###… Qubes OS release (if applicable) Design decision should be done before R4.3, feature might not ship by then. ### Brief summary Not all Wayland protocols are safe to expose to a VM. For instance, [wlr-layer-shell](https://wayland.app/protocols/wlr-layer-shell-unstable-v1) allows drawing anywhere on the screen with no borders. However, a subset of protocols must be exposed to a VM so that Wayland applications in the VM can work. This task is to decide which protocols should be exposed. The list below is preliminary. Comments as to which protocols should and should not be exposed are encouraged. ### Must be exposed These protocols are absolutely required to have a basic functioning desktop that supports server-side decorations, GPU acceleration, and languages requiring complex text input. - [Wayland core](https://wayland.app/protocols/wayland) — the core Wayland protocol, required (with a few exceptions) from _every_ compositor. - [XDG shell](https://wayland.app/protocols/xdg-shell): Required for desktop-style user interfaces. - [Linux DMA-BUF](https://wayland.app/protocols/linux-dmabuf-v1): Allows GPU buffers to be passed to the host, required by Mesa for GPU acceleration. - [XDG decoration](https://wayland.app/protocols/xdg-decoration): Needed to avoid duplicate decorations. - [Text input](https://wayland.app/protocols/text-input-unstable-v3): Allows input of languages requring input methods. - KDE server decoration: used by old GTK versions instead of XDG decoration. ### Should be exposed These protocols provide features used by many applications, or which provide very significant benefit to applications used by a substantial number of people. This benefit is judged to be worth the risk - [XDG activation](https://wayland.app/protocols/xdg-activation-v1): Allows a client to pass focus to another toplevel. - [Linux explicit synchronization (dma-fence)](https://wayland.app/protocols/linux-explicit-synchronization-unstable-v1): Support for explicit synchronization of GPU work. This is the future of Linux graphics, so it ought to be exposed in the future despite its very limited adoption right now. - [Presentation time](https://wayland.app/protocols/presentation-time): Needed for accurate audio/video synchronization - [Viewporter](https://wayland.app/protocols/viewporter): Utility protocol; I’m not sure what it is used for but I think it is needed in practice. - Touchpad gestures. - Fractional scale. - [xdg-foreign](https://wayland.app/protocols/xdg-foreign-unstable-v2) (thanks @puckipedia!): This is needed for portals to work properly, but should probably be partially filtered so that one guest cannot reference a window belonging to the host or another guest. ### Safe These protocols *can* be exposed, but might not have a strong reason to expose them. - KDE Idle - KDE blur - KDE contrast - KDE Slide: allows repositioning windows. - KDE Shadow: allows shadow control. - XDG Output: exposes information most clients have no interest in. ### Must not be exposed Exposing any of these to a guest is a security vulnerability, unless otherwise specified. - Session lock: allows locking the screen & displaying arbitrary graphics. - Xwayland shell: allows arbitrary positioning of arbitrary surfaces. - Security context: should not be exposed by the compositor to sandboxed clients, so if it is exposed, it means that the compositor thinks the client is not sandboxed. - Fullscreen shell: allows taking complete control of an output. <del>There may need to be a way for certain programs (such as LibreOffice Impress) to take complete control of certain outputs (such as a projector), but only with user consent.</del> as per @puckipedia this is not needed. - Foreign toplevel list: allows listing all toplevel surfaces, including ones created by other clients. - Input method (all versions): allows arbitrary text injection. - XWayland keyboard grabbing: allows obtaining all keystrokes, must be restricted to Xwayland alone per specification. - wlr foreign toplevel management: allows acting as a window manager. - wlr layer shell: allows unrestricted drawing anywhere on the screen with no borders. - wlr screencopy: allows screen capture. - wlr gamma control: allows manipulating gamma tables - wlr input inhbitor: allows preventing input to be sent to other clients (also deprecated). - wlr output power management: allows controlling power management, probably denial of service only - wlr export DMA-BUF: allows screen capture - wlr virtual pointer: allows emulating a pointer device - KDE AppMenu: allows causing the compositor to make D-Bus requests. It might be possible to proxy this with a D-Bus proxy, but the protocol must not be exposed directly. - KDE lockscreen overlay: Allows overlaying the lock screen. There might be higher-level interfaces for e.g. VoIP calls, but the protocol itself must be privileged. - KDE DPMS: allows controlling power management, probably denial of service only - KDE output management (all versions): allows managing outputs, which is clearly bad even though I cannot think of an exploit right now. - KDE screencast: allows screen capture. - KDE server decoration pallete: allows changing server side decoration colors. - KDE Plasma shell: can be used to implement a window manager. - KDE Plasma Window Management: can be used to implement a window manager. - KDE Plasma Virtual Desktop: allows changing virtual desktop. - DRM lease.

spartack · January 23, 2026, 12:51am

Hi,
The idea is really great in my opinion, but any kind of sand boxing is a complex subject to any entry-level user, although necessary to avoid APTs. We should make it easy out of the box.

The problem I see is having to restart or lose user sessions in order to access the untrusted-user.

I don’t know if it’s possible or maybe is kind of per-application sandboxing. But I think the best would be to be able to run the unstrusted-user without having to close the user session. Like run the untrusted-user into the user environment but with so limited access, with independent home folder.

Just imagine you are using the main user, you have multiple apps opened, you are in a video call and you need to open a secured browser for access some websites you don’t really trust at all. Be able to run the browser or any other app in the user session but with the untrusted-user permissions, and the application only with access to the /home/untrusted-user/ but not to /home/user/.

Something like:
Log in in the unstrusted-user, download different applications, like the browser or any other close source app (unsecured), like discord/spotify, fill a list of installed apps with the path of them.
And later onto the user session, execute something like open-untrusted-user and after that a list of applications able to run with untrusted-user.

——————————
Select the application you want to run with low permissions
——————————
1. Browser → source of the bin with the permissions of unstrusted-user
2. Spotify → source of the bin with the permissions of unstrusted-user
……

The unstrusted-user don’t have permissions to read or write in the user’s folders or daemons, like happen with the sysmaint user

I hope I have explained myself well; it’s difficult for me.

arraybolt3 · January 23, 2026, 12:58am

Agreed. Introducing yet another boot mode with a new user type would be a bad user experience, and while we had to introduce a new boot mode to make the sysmaint privilege level safe, I don’t think we’ll need to do that here. My hope is to have the sandbox application provide a UX similar to a virtualization app like VirtualBox. It can then allow applications in the sandbox to run side-by-side with applications in other sandboxes and unsandboxed applications.

I like your explanation a lot I think the UX will hopefully be even better than the already good suggestion you have here. Ideally one should be able to open the sandboxer application, click on a sandbox they’ve created, open a terminal in the sandbox, and run sudo apt install whatever, installing the new application into the sandbox. Or, if the user has installed a GUI package manager like Synaptic into the sandbox, they can click a sandbox, click to open Synaptic, find the app they want, and install it that way. Then they wouldn’t need to log out even to install applications.

We’ll probably draw inspiration from Qubes OS for this, since the idea above is essentially “Qubes OS, but minus a lot of the more complicated features, and implemented using containerization rather than VMs”. It won’t be nearly as feature-rich as Qubes at least to start with, and it won’t be able to match Qubes in terms of security, but for users who don’t use Qubes, or for users who want better security within an individual Qube, it should still help a lot.

spartack · January 23, 2026, 1:19am

I was going to say something like that with UI, but I figured that would be a lot of work.

But that was the idea I had in my mind, a sandboxer application where you could install other apps and run them into the main user, but with a sanboxing at user level, not application level as other sanboxers do and we know aren’t secure and optimous at all. Like termux in Android, is like a sandboxed terminal that run into an app but without root permissions

We should find something intermediate between good security, good performance and user friendly. I don’t use qubeos for the overhead it have, is actually difficult to use it in a low resource pc (in my opinion).

If this feature is implemented I would use it for example for close source applications that I use daily, like Discord, and I don’t trust anything. Don’t allow discord to access my files and daemons/bus of my main user, etc. It would be great

arraybolt3 · May 4, 2026, 1:36am

Over the last few days, I’ve been spending a lot of time designing (not yet coding, just designing) the sandboxing framework, using the notes above as a roadmap. Sharing the whole design here would be rather cumbersome (and the design is quickly evolving and is subject to change or overhaul at any moment), but a quick summary is:

We have tentatively settled on systemd-nspawn as the underlying sandboxing framework. It is sufficiently feature-rich to do what we need to the best of our knowledge.
We have a user interface somewhat mapped out. The UI design is heavily inspired by VirtualBox, and treats individual sandboxes as VM-like instances that can be powered on and off.
Unfortunately, it looks like we’re going to have to run the core sandboxing engine as root. systemd-nspawn is non-functional under Qubes OS when run as a non-root user (apparently the Qubes kernel is missing a feature required to get unprivileged systemd-nspawn to work), and even outside of Qubes, I have not been able to get it to work unprivileged. Other unprivileged sandboxing frameworks use SUID executables to hack around the parts of sandboxing under Linux that require root privileges, so getting them to work without SUID would be, to say the least, quite difficult. The only engine we know of that could be used for that is Podman, and Podman simply does not seem to be designed to be used the way we intend on using containers (it could be used, but it would be unintuitive, difficult, and would “mess up” the Podman user interface for anyone who had a use for Podman other than using our sandboxing framework). It would also complicate file, folder, and device sharing, all of which are essential features.
For now, validating proxies are being mostly skipped. It was a fun idea, but it will be very difficult to implement and maintain. In the short term, we may simply allow sandboxed apps to connect directly to Wayland and Pipewire. Longer term (or possibly now, if warranted), we may add a feature that allows a sandbox to run its own Wayland compositor, which can then be VNC’d to from the host, thus providing a good level of isolation without the complexity of a validating proxy. Something similar might be possible for audio, though this is unclear. We may end up with something similar to a validating proxy for console access.

More details will be forthcoming once we have a design that looks solid enough to start implementing (which may still be a while, this is going to be a rather complex system no matter what we do, so we need to get the design right the first time if we want to avoid major refactoring headaches later).

arraybolt3 · May 5, 2026, 5:09am

The design is still far from finished, but it’s getting there. Those who are interested can look at the current state of the design here:

github.com/ArrayBolt3/sandbox-manager-dist

sandbox-manager-dist-design.md

master

# What's the goal for this to be a minimal viable product?

Ultimately, we need it to be very easy and comfortable to use Tor Browser
sandboxed. Users need to be able to run Tor Browser in a sandbox, interact
with it the same way they'd interact with an unsandboxed browser, make files
available to it, move files downloaded with it out of the sandbox, keep it
updated properly, launch it from the Start Menu, etc., without any difficulty.

Beyond that, we want this to become usable for general purpose, Android-like
app sandboxing. Users should not *have* to mess with permissions in order to
get apps working. Users should not *have* to mess with manual software
installation and the management of sandboxes if they don't want to. Users
should be able to just install an app and *use* it. We're not going to be able
to get a UX as smooth as Android simply because Linux applications are not
(always) designed to be super smooth and easy to use sandboxed like Android
applications, and the tools that do allow ease-of-use for sandboxed
applications are less secure than would be hoped. (In particular
xdg-desktop-portal has an architectural flaw in it that will likely prevent it
from being safe to use for a long time.)

This file has been truncated. show original

(EDIT: Previously the design was in a Github gist here: Work-in-progress sandbox-manager-dist design · GitHub, however it has now been moved into the Git repo for sandbox-manager-dist.)

init38 · May 7, 2026, 10:05pm

Well I must say that is a long read but will the “sandbox-manager” be able to achieve installing packages/apps per user instead of globally for all users?

GUI screen design looks nice and the overall layout you have provided in this gist is nice if u get my gist

One thing though about systemd-nspawn and --network-veth part as mentioned…

gist.github.com

https://gist.github.com/ArrayBolt3/dea970d5c4b3a476fa28e707c085e285#notes-on-getting-various-components-to-behave

design.md

# What's the goal for this to be a minimal viable product?

Ultimately, we need it to be very easy and comfortable to use Tor Browser
sandboxed. Users need to be able to run Tor Browser in a sandbox, interact
with it the same way they'd interact with an unsandboxed browser, make files
available to it, move files downloaded with it out of the sandbox, keep it
updated properly, launch it from the Start Menu, etc., without any difficulty.

Beyond that, we want this to become usable for general purpose, Android-like
app sandboxing. Users should not *have* to mess with permissions in order to

This file has been truncated. show original

Wouldn’t VPN’s like in the case of having more then one VPN app benefit from a networknamespace? Only reason I ask is I have had DNS Configuration Conflicts (/etc/resolv.conf) when switching between ProtonVPN and MullvadVPN before for a stated example.

Also what issues could arise with user Firewalls? Could host firewall rules (iptables/nftables) not apply correctly to container traffic because the traffic appears to originate from the host itself? No mention of integrating with host firewalls or conflicts user specific firewalls?

arraybolt3 · May 7, 2026, 11:55pm

Yes, each user account will have its own set of sandboxes separate from other sets, and apps will be installed in those individual sandboxes.

VPNs within sandboxes isn’t really a use case I had in mind. It’s a good edge case to think about though, and since our goal is to provide something vaguely Android-like and Android has VPN apps, I’d say it’s in scope. I doubt it will be possible to adjust the host’s firewall from within the sandbox since adjusting the firewall is a root-only operation (I think) and the sandbox doesn’t have root privileges outside of its user namespace, so for VPN apps to work in a sandbox at all, a network namespace would probably be required. (That way the per-namespace firewall can be configured however the sandbox wants.) The VPN would only apply to applications inside the sandbox.

nftables firewalls are per-namespace according to some pages I looked up. For instance, the Arch Wiki describes using a network namespace to contain Docker’s firewall changes. See:

arraybolt3 · May 8, 2026, 4:52am

It will be quite a while before there’s a functional prototype to look at, but development of sandbox-manager-dist itself has started: