Seems to be Xephyr alone causing that lag.
In view of that, had the idea to drop containers and just use the main session, but where the main session has cap_sys_chroot capability dropped. I renamed /root/.xinitrc to .xinitrc-capd and created a .xinitrc that calls .xinitrc-capd with the chroot capabilities dropped i.e. .xinitrc contains ...
#!/bin/sh
capsh --drop=cap_sys_chroot -- /root/.xinitrc-capd
Also inside initrd I modified init to chroot into the main session rather than switch-root. I also mount my sda3 (data partition) inside init so that partition is inaccessible within X. So the tail end of init inside initrd now looks like
Code: Select all
mount -t devtmpfs devtmpfs /easy_new/dev #need to do this before switch_root.
sync
#umount /sys
#umount /proc
#exec switch_root /easy_new /sbin/init
# mount our data partition outside of the main system, so inaccessible to X
# i.e. console login and exit-chroot to access data (mc)
mkdir /mnt/sda3
mount /dev/sda3 /mnt/sda3
exec chroot /easy_new /sbin/init
Rebooting to 'clean' each/every time (no saves) and that's moderately secure. Data is isolated, a cracked firefox (root cli) cannot chroot into initrd; Could see other X windows and/or keystrokes, but no different to how it might also see other windows inside a container.