Wow, looks like that finally someone has decided to create a secure desktop OS.
It only took 30 years, pretty fast I'd say... sigh...
Regarding all the limitations, it seems they are just due to the abysmal design of Mac OS X.
For example, it obviously needs to be possible to request the user to open a directory and get access to all children.
At any rate, I think most file accesses can be handled by:
1. Automatically granting read-only access to system-wide files installed by distribution packages
2. Automatically granting access to ~/.<app>
3. Automatically granting access to files mentioned on the command line
4. Making the GTK/Qt file chooser APIs automagically use the trusted file UI API
5. Perhaps granting access to a file permanently after the first time an application is granted access (so that "Recent files" works)
Note that it is also crucial to redesign the windowing system, so that it is impossible to imitate windows of other applications (as well as making it impossible to simulate input or read input or the cursor position without having focus)
This requires having a trusted process draw the window decorations, and having some way to prevent applications from drawing in their windows in such a way that the user thinks there is a top-level window inside them.
The latter can be done by either:
- Randomizing the color of the title bars every boot, and making it impossible to determine which is the current color (i.e. disallow reading the screen and taking screenshots by untrusted apps)
- Having a bar connect windows to the edge of the screen, as well as an internal border breaking that bar for child windows.
- Always creating new windows maximized and preventing apps from altering the window state (but this requires to teach the user that any window that starts not maximized is fake, which is not the case on current OSes).
- Not allowing windows to be positioned such that a window is fully contained in another (also requires to teach the user about this)