From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id C2ACAC433F5 for ; Thu, 17 Mar 2022 07:28:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230173AbiCQH3q (ORCPT ); Thu, 17 Mar 2022 03:29:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60026 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230261AbiCQH3l (ORCPT ); Thu, 17 Mar 2022 03:29:41 -0400 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:201:1e6::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3064C2BEC for ; Thu, 17 Mar 2022 00:28:17 -0700 (PDT) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id A8AADFD2A for ; Thu, 17 Mar 2022 18:28:14 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1647502095; bh=ycq4LbF1PWfJlrBd5yyUTj8qlI3BekPFuXr3a9iTEVg=; l=1996; h=From:To:Reply-To:Subject:Date:From; b=hBonfPBxYEkpCcAOZ91fbbfMkz6SGCdx+GNpEV2npirVK9IAZWxwX06JGFD9YPc2I CUSpG2FwVyIvu+rj4qOpVINvdc089kGVMWew27B/gSUmbJJtLzg5U6W5AXJAfyQo4l MYaaH4EPUsxQBAjTRgpccMC17OQ5bpy5a8b9DPWg= Received: by xev.coker.com.au (Postfix, from userid 1001) id E8A55177B073; Thu, 17 Mar 2022 18:28:09 +1100 (AEDT) From: Russell Coker To: selinux-refpolicy@vger.kernel.org Reply-To: russell@coker.com.au Subject: restricting desktop applications Date: Thu, 17 Mar 2022 18:28:09 +1100 Message-ID: <3420831.cqPokZtkmC@xev> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org The policy for desktop applications keeps getting larger and more complex and doesn't seem likely to do much good. We have the xdg-desktop-portal package which is described as: xdg-desktop-portal provides a portal frontend service for Flatpak, Snap, and possibly other desktop containment/sandboxing frameworks. This service is made available to the sandboxed application, and provides mediated D-Bus interfaces for file access, URI opening, printing and similar desktop integration features. . The implementation of these interfaces is expected to require user confirmation before responding to the sandboxed application's requests. For example, when the sandboxed application ask to open a file, the portal implementation will open an "Open" dialog outside the sandbox, and will only make the selected file available to the sandboxed app if that dialog is confirmed. . xdg-desktop-portal is designed to be desktop-agnostic, and uses a desktop-environment-specific GUI backend such as xdg-desktop-portal-gtk to provide its functionality. This application is used by Chromium so that the app can run in a sandboxed manner. I think it would make sense to have more applications run in a sandboxed manner and use xdg-desktop-portal for their access to files outside their own sandbox. This would give the security benefits we aim to get from the SE Linux application policy but with greater restrictions (applications can't access each other's files without the user explicitely allowing it) and also providing those benefits to users who don't use SE Linux. It would also be possible for the sandbox supporting launcher to have SE Linux integration and use different MCS categories for the different applications or something. What I would like to see is regular desktop apps get some of the separation that Android apps get. What do you think? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/