Stef Walter is a Red Hat employee, that works mostly in security and privacy stuffs. He is probably more famous (at least to me) from libsecret noting that the new project would improve on libgnome-keyring by being thread-safe, introspectable, and properly asynchronous.
Walter made today some initial notes about user interaction and expectations of sandboxed applications and how Gnome (the system) should interact with Apps and users. The goal is to make Gnome more secure, as “security is used to implement privacy”.
what is sandboxing?
Sandboxing is a way to isolate one object’s user/resource/data space from another, in order to achieve the maximum privacy between the two objects. I guess a gave a bad definition, but is hard to explain. Some examples would be:
Git (or any other Version Control System) is a good example of a Sandbox environment. While you work in one branch you don’t affect the others, and after you do some validation and testing you can merge your work in the master branch.
Chrome offers its own sandbox space that Chrome Apps use without affecting the rest of the system. On the contrary installing an App in Gnome, it affects the whole system and it also might affect the Chrome browser as well. Apps should be well defined, and access only the necessarily sources.
Maemo had a more sandbox-ed system than a Desktop Linux, and applications were installed in user space. Of course it is easier when we are talking about single user systems (most mobile devices are) while Linux goal has always been a multi-user system.
Windows is a nice example of a bad sandbox-ed system. Applications in Windows can access everything without we even know it (the bad side of closed source), and even if you uninstall them, they might still keep interact with the system.
This is kinda what a sandbox environment is about.
App Store Sandboxing
Stef Walter wrote some interesting notes how the privacy in Gnome could be improved by making a more secure system.
- Principle: In the case of single user systems, we’re not really trying to protect the system from the user by sandboxing. We’re protecting the user (and data) from apps. General concept when thinking about the Desktop UX sandboxing use case.
- Principle: The concept of ‘privacy’ is the way users should see security. Privacy is the user-facing ‘feature’ that security/sandboxing provides. Obviously it provides more technical features than just that, but these other aspects are assumed by the user.
- Want: We need a clear model of what an application is, and make sure that matches what the user expects. We need to present which application is which in a consistent way. Obviously need a way to consistently identify an application.
- Application capabilities should be clear before the user installs not necessarily after or during the installation process.
- Certain capabilities should be configurable after the fact. Good example is location services.
- User expects as a given: App is completely uninstallable. When app is uninstalled, it should not be possible for it to continue to effect the system, whether maliciously or by accident.
- App install and uninstall should be atomic.
- Clear separation to the user between what is the OS (in the UX sense) and what applications are. Apps should not be able to pretend whether my design or maliciously to be the OS.
- Open question: What to do with app data or content when uninstalled.
- Privileged file chooser: App asks user to open a file through the file chooser and the app only has access to the document chosen.
- Concept of foreground and background apps. Background apps have less capabilities than foreground apps.
- Some discussion of target applications, but had a hard time pinning this down.
- W^X was brought up as desirable.
- Privacy is the main feature which makes them want apps that use these technologies. Security is used to implement privacy.
It is obvious that in Gnome (Fedora/Red Hat) try to re-design some standard concepts that hurt the Linux Desktop from the beginning since Linux never designed with these on mind.
Read more [at] GnomeOS/Design/Whiteboards/Sandboxing