GNOME Wants To Sandbox Applications Too
Posted by Michael Larabel on February 06, 2013
As another item that was discussed last week in Brussels during the GNOME Developer Hackfest is sandboxing of GNOME applications. GNOME developers already decided they want applications written in JavaScript but as another security measure they want to begin sandboxing applications.
In writing about the Hackfest prior to FOSDEM 2013, Alexander Larsson wrote on his blog about their new proposed security process. A fully sandboxed application would not even be able to mount the user's home directory in full. There's also talk of implementing an Intents system similar to Android for providing services like file picking, photo access, and photo sharing through the use of DBus.
In writing about the Hackfest prior to FOSDEM 2013, Alexander Larsson wrote on his blog about their new proposed security process. A fully sandboxed application would not even be able to mount the user's home directory in full. There's also talk of implementing an Intents system similar to Android for providing services like file picking, photo access, and photo sharing through the use of DBus.
The sandbox model goes hand-in-hand with the isolation model of app deployment, in the sense that whatever the app should not be able to do it will not even see. So, for a fully sandboxed app we will not even mount in the users home directory in the app namespace, rather than not having access rights to it. (We will of course also offer applications with unlimited sandboxes so that existing apps can run.)
In order to talk with the sandboxes app we need a IPC model that handles the domain transition between the namespaces. This implies the kernel being involved, so we have been looking (again) at getting some form of dbus routing support into the kernel. Hopefully this will work out this time.
Unfortunately we also need IPC for the Xserver, which is very hard to secure. We’ve decided to just just ignore this for now however, as it turns out Wayland is a very good fit for this, since it naturally isolates the clients.
We also talked about implementing something similar to the Intents system in android as a way to allow sandboxed applications to communicate without necessarily knowing about each other. This essentially becomes a DBus service which keeps a registry of which apps implements the various interfaces we want to support (e.g. file picking, get-a-photo, share photo) and actually proxies the messages for these to the right destination. We had a long discussion about the name for these and came up with the name “Portals”, reflecting the domain-transition that these calls represent.
Discuss this article in our forums, IRC channel, or email the author. You can also follow our content via RSS and on social networks like Facebook, Identi.ca, and Twitter (@Phoronix and @MichaelLarabel). Subscribe to Phoronix Premium to view our content without advertisements, view entire articles on a single page, and experience other benefits.
Copyright © 2004 - 2013 by Phoronix Media.
All trademarks used are properties of their respective owners. All rights reserved. Legal Disclaimer & Disclosure.
Powered by the Phoronix Content Management System (PHXCMS-7.4).
All trademarks used are properties of their respective owners. All rights reserved. Legal Disclaimer & Disclosure.
Powered by the Phoronix Content Management System (PHXCMS-7.4).