General sandbox specs?

Thomas Leonard tal00r at ecs.soton.ac.uk
Fri Mar 12 19:53:33 EET 2004 

On Fri, Mar 12, 2004 at 06:29:34PM +0100, Lars Hallberg wrote:
> Thomas Leonard wrote:
> >For dependancies, you should take a look at (my) zero install stuff. This
> >will let users/sandboxes access any libraries they want without risking
> >the rest of the system:
> >
> >	http://zero-install.sourceforge.net/
[...]
> If the 'mother' system also runs zero install, the sandbox own zero 
> installed cach could bee prepopulated with hardlinks to everything 
> alreddy cached?

Better, mount /uri/0install in user mode linux as a read-only host-type
filesystem from the host's /uri/0install. No need for hard-links :-)
The sandboxed app can then pull in stuff through the host's cache.

[...]
> I guess, if one user desides to trust one app, and it's cashed - then 
> all user will be trusting this app (cose thers no 'checking' at all on 
> alreddy cached files?).

I think you'd want to do the checking at a different level (per-user, as
you say). So, anything can get cached, but you might be warned when you
try to run it (you should still be able to read help files from an
untrusted app, for example). Of course, if you've got everything sandboxed
properly, the user shouldn't have to care too much about trusting the
applications anyway...

[...]
> Whith zero install, everything have a URI, so an sanboxed app foo cold 
> have access to:
> 
> ~/sandbox/foo.org/ (for the users file accesable by the sanboxed app)
> ~/sandbox/foo.org/prefs/ (for preferenses only)
> ~/sandbox/shared/ (for shared files between all sandboxed apps)
> /xxx/sandbox/foo.org/ (shared files between users, like a system vide 
> hiscore)
> /xxx/sandbox/shared (shared betwine all users and all sandboxed apps)

My plan was a little different... I was thinking of giving the app read
access to anything publically readable anywhere in the user's home, and
write access to ~/sandbox/.config/foo.org (for prefs). Anything else would
pop up a confirmation box, eg:

	"Sandboxed app foo.org/foo wishes to read ~/.gnupg/secring.gpg,
	which is not world-readable. Grant access?"

The UI is the interesting part, though. Ideally, dragging Paper.doc from
my filer to a sandboxed AbiWord would grant AbiWord read permission
automatically, for example (or, better, send it directly over some
stream). That's also the really hard part, though ;-)


-- 
Thomas Leonard			http://rox.sourceforge.net
tal00r at ecs.soton.ac.uk	tal197 at users.sourceforge.net
GPG: 9242 9807 C985 3C07 44A6  8B9A AE07 8280 59A5 3CC1

More information about the xdg mailing list