Separate (some) user applications from the operating system

arraybolt3 · January 13, 2026, 1:30am

Probably relevant if we do eventually create a Wayland proxy:

Decide which Wayland protocols to expose to guests

opened 04:11AM - 28 Feb 24 UTC

P: default affects-4.3 C: Wayland

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) ###… Qubes OS release (if applicable) Design decision should be done before R4.3, feature might not ship by then. ### Brief summary Not all Wayland protocols are safe to expose to a VM. For instance, [wlr-layer-shell](https://wayland.app/protocols/wlr-layer-shell-unstable-v1) allows drawing anywhere on the screen with no borders. However, a subset of protocols must be exposed to a VM so that Wayland applications in the VM can work. This task is to decide which protocols should be exposed. The list below is preliminary. Comments as to which protocols should and should not be exposed are encouraged. ### Must be exposed These protocols are absolutely required to have a basic functioning desktop that supports server-side decorations, GPU acceleration, and languages requiring complex text input. - [Wayland core](https://wayland.app/protocols/wayland) — the core Wayland protocol, required (with a few exceptions) from _every_ compositor. - [XDG shell](https://wayland.app/protocols/xdg-shell): Required for desktop-style user interfaces. - [Linux DMA-BUF](https://wayland.app/protocols/linux-dmabuf-v1): Allows GPU buffers to be passed to the host, required by Mesa for GPU acceleration. - [XDG decoration](https://wayland.app/protocols/xdg-decoration): Needed to avoid duplicate decorations. - [Text input](https://wayland.app/protocols/text-input-unstable-v3): Allows input of languages requring input methods. - KDE server decoration: used by old GTK versions instead of XDG decoration. ### Should be exposed These protocols provide features used by many applications, or which provide very significant benefit to applications used by a substantial number of people. This benefit is judged to be worth the risk - [XDG activation](https://wayland.app/protocols/xdg-activation-v1): Allows a client to pass focus to another toplevel. - [Linux explicit synchronization (dma-fence)](https://wayland.app/protocols/linux-explicit-synchronization-unstable-v1): Support for explicit synchronization of GPU work. This is the future of Linux graphics, so it ought to be exposed in the future despite its very limited adoption right now. - [Presentation time](https://wayland.app/protocols/presentation-time): Needed for accurate audio/video synchronization - [Viewporter](https://wayland.app/protocols/viewporter): Utility protocol; I’m not sure what it is used for but I think it is needed in practice. - Touchpad gestures. - Fractional scale. - [xdg-foreign](https://wayland.app/protocols/xdg-foreign-unstable-v2) (thanks @puckipedia!): This is needed for portals to work properly, but should probably be partially filtered so that one guest cannot reference a window belonging to the host or another guest. ### Safe These protocols *can* be exposed, but might not have a strong reason to expose them. - KDE Idle - KDE blur - KDE contrast - KDE Slide: allows repositioning windows. - KDE Shadow: allows shadow control. - XDG Output: exposes information most clients have no interest in. ### Must not be exposed Exposing any of these to a guest is a security vulnerability, unless otherwise specified. - Session lock: allows locking the screen & displaying arbitrary graphics. - Xwayland shell: allows arbitrary positioning of arbitrary surfaces. - Security context: should not be exposed by the compositor to sandboxed clients, so if it is exposed, it means that the compositor thinks the client is not sandboxed. - Fullscreen shell: allows taking complete control of an output. <del>There may need to be a way for certain programs (such as LibreOffice Impress) to take complete control of certain outputs (such as a projector), but only with user consent.</del> as per @puckipedia this is not needed. - Foreign toplevel list: allows listing all toplevel surfaces, including ones created by other clients. - Input method (all versions): allows arbitrary text injection. - XWayland keyboard grabbing: allows obtaining all keystrokes, must be restricted to Xwayland alone per specification. - wlr foreign toplevel management: allows acting as a window manager. - wlr layer shell: allows unrestricted drawing anywhere on the screen with no borders. - wlr screencopy: allows screen capture. - wlr gamma control: allows manipulating gamma tables - wlr input inhbitor: allows preventing input to be sent to other clients (also deprecated). - wlr output power management: allows controlling power management, probably denial of service only - wlr export DMA-BUF: allows screen capture - wlr virtual pointer: allows emulating a pointer device - KDE AppMenu: allows causing the compositor to make D-Bus requests. It might be possible to proxy this with a D-Bus proxy, but the protocol must not be exposed directly. - KDE lockscreen overlay: Allows overlaying the lock screen. There might be higher-level interfaces for e.g. VoIP calls, but the protocol itself must be privileged. - KDE DPMS: allows controlling power management, probably denial of service only - KDE output management (all versions): allows managing outputs, which is clearly bad even though I cannot think of an exploit right now. - KDE screencast: allows screen capture. - KDE server decoration pallete: allows changing server side decoration colors. - KDE Plasma shell: can be used to implement a window manager. - KDE Plasma Window Management: can be used to implement a window manager. - KDE Plasma Virtual Desktop: allows changing virtual desktop. - DRM lease.

alberto-765 · January 23, 2026, 12:51am

Hi,
The idea is really great in my opinion, but any kind of sand boxing is a complex subject to any entry-level user, although necessary to avoid APTs. We should make it easy out of the box.

The problem I see is having to restart or lose user sessions in order to access the untrusted-user.

I don’t know if it’s possible or maybe is kind of per-application sandboxing. But I think the best would be to be able to run the unstrusted-user without having to close the user session. Like run the untrusted-user into the user environment but with so limited access, with independent home folder.

Just imagine you are using the main user, you have multiple apps opened, you are in a video call and you need to open a secured browser for access some websites you don’t really trust at all. Be able to run the browser or any other app in the user session but with the untrusted-user permissions, and the application only with access to the /home/untrusted-user/ but not to /home/user/.

Something like:
Log in in the unstrusted-user, download different applications, like the browser or any other close source app (unsecured), like discord/spotify, fill a list of installed apps with the path of them.
And later onto the user session, execute something like open-untrusted-user and after that a list of applications able to run with untrusted-user.

——————————
Select the application you want to run with low permissions
——————————
1. Browser → source of the bin with the permissions of unstrusted-user
2. Spotify → source of the bin with the permissions of unstrusted-user
……

The unstrusted-user don’t have permissions to read or write in the user’s folders or daemons, like happen with the sysmaint user

I hope I have explained myself well; it’s difficult for me.

arraybolt3 · January 23, 2026, 12:58am

Agreed. Introducing yet another boot mode with a new user type would be a bad user experience, and while we had to introduce a new boot mode to make the sysmaint privilege level safe, I don’t think we’ll need to do that here. My hope is to have the sandbox application provide a UX similar to a virtualization app like VirtualBox. It can then allow applications in the sandbox to run side-by-side with applications in other sandboxes and unsandboxed applications.

I like your explanation a lot I think the UX will hopefully be even better than the already good suggestion you have here. Ideally one should be able to open the sandboxer application, click on a sandbox they’ve created, open a terminal in the sandbox, and run sudo apt install whatever, installing the new application into the sandbox. Or, if the user has installed a GUI package manager like Synaptic into the sandbox, they can click a sandbox, click to open Synaptic, find the app they want, and install it that way. Then they wouldn’t need to log out even to install applications.

We’ll probably draw inspiration from Qubes OS for this, since the idea above is essentially “Qubes OS, but minus a lot of the more complicated features, and implemented using containerization rather than VMs”. It won’t be nearly as feature-rich as Qubes at least to start with, and it won’t be able to match Qubes in terms of security, but for users who don’t use Qubes, or for users who want better security within an individual Qube, it should still help a lot.

alberto-765 · January 23, 2026, 1:19am

I was going to say something like that with UI, but I figured that would be a lot of work.

But that was the idea I had in my mind, a sandboxer application where you could install other apps and run them into the main user, but with a sanboxing at user level, not application level as other sanboxers do and we know aren’t secure and optimous at all. Like termux in Android, is like a sandboxed terminal that run into an app but without root permissions

We should find something intermediate between good security, good performance and user friendly. I don’t use qubeos for the overhead it have, is actually difficult to use it in a low resource pc (in my opinion).

If this feature is implemented I would use it for example for close source applications that I use daily, like Discord, and I don’t trust anything. Don’t allow discord to access my files and daemons/bus of my main user, etc. It would be great