2022-03-17 08:23:35

by Russell Coker

[permalink] [raw]
Subject: restricting desktop applications

The policy for desktop applications keeps getting larger and more complex and
doesn't seem likely to do much good.

We have the xdg-desktop-portal package which is described as:

xdg-desktop-portal provides a portal frontend service for Flatpak, Snap,
and possibly other desktop containment/sandboxing frameworks. This service
is made available to the sandboxed application, and provides mediated
D-Bus interfaces for file access, URI opening, printing and similar
desktop integration features.
.
The implementation of these interfaces is expected to require
user confirmation before responding to the sandboxed application's
requests. For example, when the sandboxed application ask to open a file,
the portal implementation will open an "Open" dialog outside the sandbox,
and will only make the selected file available to the sandboxed app if
that dialog is confirmed.
.
xdg-desktop-portal is designed to be desktop-agnostic, and uses a
desktop-environment-specific GUI backend such as xdg-desktop-portal-gtk
to provide its functionality.


This application is used by Chromium so that the app can run in a sandboxed
manner. I think it would make sense to have more applications run in a
sandboxed manner and use xdg-desktop-portal for their access to files outside
their own sandbox. This would give the security benefits we aim to get from
the SE Linux application policy but with greater restrictions (applications
can't access each other's files without the user explicitely allowing it) and
also providing those benefits to users who don't use SE Linux.

It would also be possible for the sandbox supporting launcher to have SE Linux
integration and use different MCS categories for the different applications or
something.

What I would like to see is regular desktop apps get some of the separation
that Android apps get.

What do you think?

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/