Walsh: Cool things with SELinux... Introducing sandbox -X

Posted Sep 17, 2009 23:43 UTC (Thu) by martinfick (subscriber, #4455)
In reply to: Walsh: Cool things with SELinux... Introducing sandbox -X by drag
Parent article: Walsh: Cool things with SELinux... Introducing sandbox -X

I was suggesting only putting real users in their own containers, not os users, not each application in its own container. Applications would get their own os users inside the real user's container. This way, real users would be root (in their container) and could manage creation/deletion/permission setting of application users using "adduser", "chmod", chown" ... Application users would be appropriately restricted to fs (/home...).

Naturally, a desktop environement that understood this could set up these application users with the appropriate settings for you, much like the way android does. Effectively, you could create an entire new distribution with this sole purpose with a true focus on desktop sandboxing. Sandbox profiles could be used. Default profiles could be created by the distribution and each app would have a suggested profile. Real users would be allowed to create/script their own sandbox profiles and could apply them to any application over ridding the distribution's suggestions.

If the real user needs to interact with other real users on the system, then appropriate bridges should be created, such as: mount a shared directory in both user's containers (a real host sysadmin would have to set these up)...

to post comments

Walsh: Cool things with SELinux... Introducing sandbox -X

Posted Sep 18, 2009 0:00 UTC (Fri) by martinfick (subscriber, #4455) [Link]

If you step back and think about it, most distributions sandbox servers quite a bit already by giving them their own users, and sometimes by putting them in chroots (and by using various other security mechanisms). Any bridging that needs to be done between server applications that was not anticipated by distributions (and there always is some) can be done because the person managing the servers typically has root privileges. This same ability needs to be extended to desktop users (on a multi-human user system).

But, distributions typically stop at sandboxing servers, why? Because to manage sandboxing you need root priviliges! Distributions do not typically sandbox human-user apps (desktop apps) because most human users do not have the privileges on a machine to create the necessary bridges between their apps if they were sandboxed. Human users really need "root level" control of their own domain to ever make sandboxing of applications manageable; no distribution can anticipate all the bridges between user applications that might need to be created. Thus, the need for a separate container for each human user, to give human users "root" privileges without compromising the host or other human users.