restricting desktop applications

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: restricting desktop applications
Date: Thu, 17 Mar 2022 18:28:09 +1100	[thread overview]
Message-ID: <3420831.cqPokZtkmC@xev> (raw)

The policy for desktop applications keeps getting larger and more complex and 
doesn't seem likely to do much good.

We have the xdg-desktop-portal package which is described as:

 xdg-desktop-portal provides a portal frontend service for Flatpak, Snap,
 and possibly other desktop containment/sandboxing frameworks. This service
 is made available to the sandboxed application, and provides mediated
 D-Bus interfaces for file access, URI opening, printing and similar
 desktop integration features.
 .
 The implementation of these interfaces is expected to require
 user confirmation before responding to the sandboxed application's
 requests. For example, when the sandboxed application ask to open a file,
 the portal implementation will open an "Open" dialog outside the sandbox,
 and will only make the selected file available to the sandboxed app if
 that dialog is confirmed.
 .
 xdg-desktop-portal is designed to be desktop-agnostic, and uses a
 desktop-environment-specific GUI backend such as xdg-desktop-portal-gtk
 to provide its functionality.

This application is used by Chromium so that the app can run in a sandboxed 
manner.  I think it would make sense to have more applications run in a 
sandboxed manner and use xdg-desktop-portal for their access to files outside 
their own sandbox.  This would give the security benefits we aim to get from 
the SE Linux application policy but with greater restrictions (applications 
can't access each other's files without the user explicitely allowing it) and 
also providing those benefits to users who don't use SE Linux.

It would also be possible for the sandbox supporting launcher to have SE Linux 
integration and use different MCS categories for the different applications or 
something.

What I would like to see is regular desktop apps get some of the separation 
that Android apps get.

What do you think?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

                 reply	other threads:[~2022-03-17  7:28 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3420831.cqPokZtkmC@xev \
    --to=russell@coker.com.au \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.