General sandbox specs?

Lars Hallberg spam at
Fri Mar 12 19:29:34 EET 2004

Thomas Leonard wrote:

>>* For the sandbox itself, what libs etc is avalible. Possably a 
>>'dependency' standard wher each pakage can tell what they need - then 
>>the underlaying distro can be asked if these dependencys exists and 
>>possably offer to automaticly install dem.
>For dependancies, you should take a look at (my) zero install stuff. This
>will let users/sandboxes access any libraries they want without risking
>the rest of the system:

Cool stuf! Werry cool!

So the sanbox can be prety smal and preeset with the zero install 
system, 'booted', then the sanboxed app is just called, and cached in 
the sanbox own cach be zero install, with all dependencys!

This also means that pakaging software for the 'sandbox' and for zero 
install could be the exact same thing. Only need to be done once, only 
need to be distributed thru one URI!

If the 'mother' system also runs zero install, the sandbox own zero 
installed cach could bee prepopulated with hardlinks to everything 
alreddy cached?

Idealy, this shuld be integrated. So You have a set of trusted 
authors/distributers. If the software is trusted, it's just run, if not 
it's sandboxed, possably after querrying the user for trust like:

This software is from foo bar and needs network access

[ ] I trust it to run as an ordenary aplikation
[*] I trust it to run sandboxed
[ ] I don't trust to run this software at all

The wording shuld probably be less geeky :-)

On set of trust on the system level, that also desides what kind of 
trust the users is allowed to grant themself. And one set of aditionaly 
trust for each user.

Distributions can be just a list of trusted authurs/distributers. Then 
one can actuly 'run' more distributens att once. Say, the sysadm trust: 
foo hacker network, bar hacker network, greedy cooparation and cool app 
author john smith. For any other software, ask the user, but only alowe 
them to run it sandboxed, exept user super, who can decide to trust 
software completly, and user guest, who cant even trust it to be sandboxed!

I guess, if one user desides to trust one app, and it's cashed - then 
all user will be trusting this app (cose thers no 'checking' at all on 
alreddy cached files?).

>>But the first question is, is it att all possably, ind if, hove is it 
>>best done, and hove much effort is needed?
>The actual sandboxing is quite easy, but getting trusted and untrusted
>apps to integrate well is much harder (drag-and-drop, copy-and-paste,
>shared file system, etc).
Whith zero install, everything have a URI, so an sanboxed app foo cold 
have access to:

~/sandbox/ (for the users file accesable by the sanboxed app)
~/sandbox/ (for preferenses only)
~/sandbox/shared/ (for shared files between all sandboxed apps)
/xxx/sandbox/ (shared files between users, like a system vide 
/xxx/sandbox/shared (shared betwine all users and all sandboxed apps)

Possably have some other name than 'sandbox' in the path, so the same 
locations can be used whether it's sanboxed or not, with the differens 
that when it sanboxed, it *only* see thes paths, and nesasary system 
ones read only.

The users have to move/copy files to one of these folders to make them 
accesable for sanboxed apps. Some helper app might hold shortcuts to 
these for all runing sanboxes.

Full integration would be cool. But the sandbox is probably most used 
for entertainment and games. But stuf like client side funktionality for 
a websites own CMS, some cool P2P stuff, and other might be usefull. But 
the 'copy to accessable folder' shuld make stuff usefull.... for full 
integration You have to trust the app. Think thats reasnoble, att least 
for a start.

This zero install is werry cool, makes for a verry minimal dist that 
still got everythin. Just fire up, say an MTA configurator (by URI, 
cached if needed), make the configuration (posably chose actual MTA 
based on the needed features), go root only for copying the config in 
place and start the deamon (who is then cached if needed) - or even, ask 
som system software to do this copying and aktivation while checking if 
the user have rights to do this, whithout the user ever needing to go root!

The dist only need to be the kernel, network, the zero install stuff and 
whats needed to run them. Then the URI to some installers! And perhaps 
some initsial trust :-)


More information about the xdg mailing list