Support running sandboxed GUI programs #2
Description
Drop runs sandboxed programs in a separate network namespace without access to the host's /tmp and /run directories.
This prevents access to the X11 display sockets (both Unix domain /tmp/.X11-unix/X0 and abstract @"/tmp/.X11-unix/X0" ) and the Wayland compositor socket ($XDG_RUNTIME_DIR/wayland-0), making it impossible to start GUI programs in the sandbox.
It is possible to give Drop programs access to the host display server by exposing the relevant socket files. However, at least for X11, this is only acceptable for trusted programs, where Drop is used as a mistake-protection, easy-cleanup environment rather than a security sandbox. Access to the user's X11 server gives the ability to intercept keystrokes and control screen and is inherently insecure for untrusted programs (To research: does the isolation problem apply also to Wayland or is it secure to expose Wayland compositor socket to the sandbox 'as-is'?).
The secure approach is to run a separate, isolated display server for each sandbox, with its output rendered to a window on the host. Firejail implements such approach using Xephyr and Xpra projects. More research is needed to check what approach to take for X11, what (if any is needed) for Wayland, and if it is possible to support both X11 and Wayland without too much duplication.