sandbox security templates

Bug #156693 reported by Link on 2007-10-24
Affects Status Importance Assigned to Milestone

Bug Description

While Apparmor is a good start and is already useful, I think it is still too low level for "Joe Sixpack" or "Aunt May" to use.

Scenarios that they could easily be taught to handle _reasonably_ safely would be something like the following:

Assume the user launches "some_game".

Scenario A:
user gets a dialog box with a thick red border:
some_game requests "Administrator" privileges to run. Allow?

Possible options:

[ ] Always allow

Button: Advanced>>

<font color="red">WARNING!!!<font> running something with "Administrator" privileges could expose your computer and data to security problems.

Scenario B
user gets a non-scary dialog box
some_game requests "Guest game" privileges to run. Allow?

Possible options:

[ ] Always allow

Button: Advanced>>

Scenario C
user doesn't get a dialog box at all -
i) the program is signed by a trusted authority (either user trusted, or O/S vendor ), and if it is requesting a custom sandbox execution template, that template is signed by a trusted party, and the certs, program and template are not on a blacklist/revoked list (in which case a warning/error should appear).
ii) a previous "always allow" applies to the program and sandbox template.

I'm not saying that apparmor should do all this, but rather that it might be possible to build something like this on top of Apparmor.

This of course isn't easy to implement. It would likely require standardization and deciding of many things - application specific directories, application specific temporary directories, different directories where files can be shared, network access, audio recording/playback access (most stuff shouldn't be able to secretly record sound and send it out over the network ;) ), input device access, what's allowed to run in fullscreen or windowed, so on and so forth.

And of course a manageable list of standard templates that will fit 90% of the popular apps (email program, browser, word processor, music player, etc), and be understandable/recognizable to "Joe Sixpack".

Still, I suggest that something like this is the way to go. For one, it should be easier to figure out whether a sandbox template is unsafe than it is to figure out whether a program would misbehave or not (which is similar to solving a halting problem ;) ).

Lastly, I'm no expert in UI design or programming. I'm not even sure we should call this sandbox template - as it seems to be used by wikis. It's a bit similar in philosophy to Design by Contract, but execution contract might get the law enforcement people a bit too excited :p.

Also reported to:

drx (drx) wrote :

Why should a game or any other application that is
1. not part of the distribution and
2. "aunt mary" can launch from the desktop
need administrator privileges to run?

Link (lincoln-yeoh) wrote :

Exactly! Why should a program say it needs full privileges when there would be "guest game" or "game installer" security templates.

ianaré (ianare) wrote :

I like the idea of making the dialog boxes 'louder' as the requested privilege escalates. The 'cancel/allow' option is a terrible idea though (see win-Vista), people will just get used to clicking on 'allow' to get their game going. Password input should always be required.

Adam Niedling (krychek) wrote :

I'm closing this as it's not a bug. Please suggest your ideas on . This is not a bad idea and it will be more looked at on brainstorm.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers