General sandbox specs?
spam at micropp.se
Fri Mar 12 19:29:34 EET 2004
Thomas Leonard wrote:
>>* For the sandbox itself, what libs etc is avalible. Possably a
>>'dependency' standard wher each pakage can tell what they need - then
>>the underlaying distro can be asked if these dependencys exists and
>>possably offer to automaticly install dem.
>For dependancies, you should take a look at (my) zero install stuff. This
>will let users/sandboxes access any libraries they want without risking
>the rest of the system:
Cool stuf! Werry cool!
So the sanbox can be prety smal and preeset with the zero install
system, 'booted', then the sanboxed app is just called, and cached in
the sanbox own cach be zero install, with all dependencys!
This also means that pakaging software for the 'sandbox' and for zero
install could be the exact same thing. Only need to be done once, only
need to be distributed thru one URI!
If the 'mother' system also runs zero install, the sandbox own zero
installed cach could bee prepopulated with hardlinks to everything
Idealy, this shuld be integrated. So You have a set of trusted
authors/distributers. If the software is trusted, it's just run, if not
it's sandboxed, possably after querrying the user for trust like:
This software is from foo bar and needs network access
[ ] I trust it to run as an ordenary aplikation
[*] I trust it to run sandboxed
[ ] I don't trust to run this software at all
The wording shuld probably be less geeky :-)
On set of trust on the system level, that also desides what kind of
trust the users is allowed to grant themself. And one set of aditionaly
trust for each user.
Distributions can be just a list of trusted authurs/distributers. Then
one can actuly 'run' more distributens att once. Say, the sysadm trust:
foo hacker network, bar hacker network, greedy cooparation and cool app
author john smith. For any other software, ask the user, but only alowe
them to run it sandboxed, exept user super, who can decide to trust
software completly, and user guest, who cant even trust it to be sandboxed!
I guess, if one user desides to trust one app, and it's cashed - then
all user will be trusting this app (cose thers no 'checking' at all on
alreddy cached files?).
>>But the first question is, is it att all possably, ind if, hove is it
>>best done, and hove much effort is needed?
>The actual sandboxing is quite easy, but getting trusted and untrusted
>apps to integrate well is much harder (drag-and-drop, copy-and-paste,
>shared file system, etc).
Whith zero install, everything have a URI, so an sanboxed app foo cold
have access to:
~/sandbox/foo.org/ (for the users file accesable by the sanboxed app)
~/sandbox/foo.org/prefs/ (for preferenses only)
~/sandbox/shared/ (for shared files between all sandboxed apps)
/xxx/sandbox/foo.org/ (shared files between users, like a system vide
/xxx/sandbox/shared (shared betwine all users and all sandboxed apps)
Possably have some other name than 'sandbox' in the path, so the same
locations can be used whether it's sanboxed or not, with the differens
that when it sanboxed, it *only* see thes paths, and nesasary system
ones read only.
The users have to move/copy files to one of these folders to make them
accesable for sanboxed apps. Some helper app might hold shortcuts to
these for all runing sanboxes.
Full integration would be cool. But the sandbox is probably most used
for entertainment and games. But stuf like client side funktionality for
a websites own CMS, some cool P2P stuff, and other might be usefull. But
the 'copy to accessable folder' shuld make stuff usefull.... for full
integration You have to trust the app. Think thats reasnoble, att least
for a start.
This zero install is werry cool, makes for a verry minimal dist that
still got everythin. Just fire up, say an MTA configurator (by URI,
cached if needed), make the configuration (posably chose actual MTA
based on the needed features), go root only for copying the config in
place and start the deamon (who is then cached if needed) - or even, ask
som system software to do this copying and aktivation while checking if
the user have rights to do this, whithout the user ever needing to go root!
The dist only need to be the kernel, network, the zero install stuff and
whats needed to run them. Then the URI to some installers! And perhaps
some initsial trust :-)
More information about the xdg