App confinement for Ubuntu mobile devices

I doubt that one can protect a traditional Linux desktop by extra filtering and rules so a user can run untrusted code without bad consequences. AppArmor and Selinux is similar in spirit to Java Security Manager when one starts with code that is allowed to do anything and then tries to restrict it using policies. Java model failed the moment it started to be exploited seriously.

One really has to start from a very restricted sandbox model and then gradually loose it with explicit permissions on case by case basis. This is what Google did with Android and Chromeos and is what Mozilla does with FirefoxOS. Of cause, Android started from scratch with new API and HTML OSes take advantage that HTML is already sandoxed so legacy code can run as is.

It is harder to do if one has legacy code that should be secured. One way to solve it is to run each application in its own VM like www.qubes-os.org does. But such approach is a resource hog and cannot yet be applied to mobile phones or tablets. Ubuntu at least could try to take advantage that they have source of the whole desktop and most applications. For example, they could create sand-boxed system libraries and recompile applications against them. Essentially it virtualizes the application code without overhead of the running each application in its own VM so the application can run on a mobile phone.