GNOME Wants To Sandbox Applications Too
As another item that was discussed last week in Brussels during the GNOME Developer Hackfest is sandboxing of GNOME applications. GNOME developers already decided they want applications written in JavaScript but as another security measure they want to begin sandboxing applications.
In writing about the Hackfest prior to FOSDEM 2013, Alexander Larsson wrote on his blog about their new proposed security process. A fully sandboxed application would not even be able to mount the user's home directory in full. There's also talk of implementing an Intents system similar to Android for providing services like file picking, photo access, and photo sharing through the use of DBus.
In writing about the Hackfest prior to FOSDEM 2013, Alexander Larsson wrote on his blog about their new proposed security process. A fully sandboxed application would not even be able to mount the user's home directory in full. There's also talk of implementing an Intents system similar to Android for providing services like file picking, photo access, and photo sharing through the use of DBus.
The sandbox model goes hand-in-hand with the isolation model of app deployment, in the sense that whatever the app should not be able to do it will not even see. So, for a fully sandboxed app we will not even mount in the users home directory in the app namespace, rather than not having access rights to it. (We will of course also offer applications with unlimited sandboxes so that existing apps can run.)
In order to talk with the sandboxes app we need a IPC model that handles the domain transition between the namespaces. This implies the kernel being involved, so we have been looking (again) at getting some form of dbus routing support into the kernel. Hopefully this will work out this time.
Unfortunately we also need IPC for the Xserver, which is very hard to secure. We’ve decided to just just ignore this for now however, as it turns out Wayland is a very good fit for this, since it naturally isolates the clients.
We also talked about implementing something similar to the Intents system in android as a way to allow sandboxed applications to communicate without necessarily knowing about each other. This essentially becomes a DBus service which keeps a registry of which apps implements the various interfaces we want to support (e.g. file picking, get-a-photo, share photo) and actually proxies the messages for these to the right destination. We had a long discussion about the name for these and came up with the name “Portals”, reflecting the domain-transition that these calls represent.
13 Comments