General sandbox specs?

Fri Mar 12 20:56:16 EET 2004

Thomas Leonard wrote:

>>If the 'mother' system also runs zero install, the sandbox own zero 
>>installed cach could bee prepopulated with hardlinks to everything 
>>alreddy cached?
>>    
>>
>
>Better, mount /uri/0install in user mode linux as a read-only host-type
>filesystem from the host's /uri/0install. No need for hard-links :-)
>The sandboxed app can then pull in stuff through the host's cache.
>  
>
I was kind of thinking, if the app is untrusted, You don't want it to 
drag stuff in the main cache, And also, remove the sandbox, and You have 
removed all dependances the sandbox app has pulled in! But charing a 
cach between all sandboxes is probably a good idé. Then the deps will 
not disapere with the sandbox, but the gain is probably bigger and You 
can clean that cach more agresivly if You like.

Actuly, if having two caches, then it probably possably for zero install 
to check the other cach before downloding and just hardlink if it's 
alreddy downloaded in the other cach.

Hmm... guess each sandbox having it's own cach is best for start, fore 
else You have to depend on changes to zero install, and that zero 
install is running on the mother system :-/

>>I guess, if one user desides to trust one app, and it's cashed - then 
>>all user will be trusting this app (cose thers no 'checking' at all on 
>>alreddy cached files?).
>>    
>>
>
>I think you'd want to do the checking at a different level (per-user, as
>you say). So, anything can get cached, but you might be warned when you
>try to run it (you should still be able to read help files from an
>untrusted app, for example). Of course, if you've got everything sandboxed
>properly, the user shouldn't have to care too much about trusting the
>applications anyway...
>  
>
Sorry, I was unclear here. I was so intriged by the zero install 
consept. But this realy aply to a 'mother' system runing zero install, 
not att all to the sandbox itself.

I guess, as a sysop, I want to decide what sources are trusted, and if 
someone is atemting to cash a executable witch is not signed by a 
trusted source, it will not be installed in the main cach, but the user 
might be offered to run it thru a sandbox. The same with libs, with 
makes for a problem, cous as You point out... docs shuld be accesable.

If I undurstand zero install right, if somthing alreddy is in the cach, 
it is just run/loaded without any check. So once aproved, its avalible 
to everyone! Thats another reason why I don't want sandboxed apps to 
pull stuff in to the main cach!

But I don't know if You think a posability to configure what sorces are 
trusted is att all a good feature for zero install. I beleve so, but I'm 
cuite new to the consept :-)

>>Whith zero install, everything have a URI, so an sanboxed app foo cold 
>>have access to:
>>
>>~/sandbox/foo.org/ (for the users file accesable by the sanboxed app)
>>~/sandbox/foo.org/prefs/ (for preferenses only)
>>~/sandbox/shared/ (for shared files between all sandboxed apps)
>>/xxx/sandbox/foo.org/ (shared files between users, like a system vide 
>>hiscore)
>>/xxx/sandbox/shared (shared betwine all users and all sandboxed apps)
>>    
>>
>
>My plan was a little different... I was thinking of giving the app read
>access to anything publically readable anywhere in the user's home, and
>write access to ~/sandbox/.config/foo.org (for prefs). Anything else would
>pop up a confirmation box, eg:
>
>	"Sandboxed app foo.org/foo wishes to read ~/.gnupg/secring.gpg,
>	which is not world-readable. Grant access?"
>
>The UI is the interesting part, though. Ideally, dragging Paper.doc from
>my filer to a sandboxed AbiWord would grant AbiWord read permission
>automatically, for example (or, better, send it directly over some
>stream). That's also the really hard part, though ;-)
>  
>
I was thinking more quick and dirty :-) What minimal funktionality can 
be acheved only by the setup of the sandbox, no added system functionality.

/LaH

>
>  
>