Re: Sandboxed Gnome apps

From: Federico Mena Quintero <federico gnome org>
To: Alexander Larsson <alexl redhat com>
Cc: gnome-os-list <gnome-os-list gnome org>
Subject: Re: Sandboxed Gnome apps
Date: Fri, 05 Sep 2014 13:20:37 -0500

On Thu, 2014-09-04 at 19:05 +0200, Alexander Larsson wrote:

4. IPC stability guarantees


During GUADEC, Dodji Seketeli told me about a tool he's working on to
determine whether a C/C++ API/ABI has changed.  This is not IPC
stability, of course, but it may definitely come in handy to ensure the
general sanity of the ABI.

http://gcc.gnu.org/wiki/ABIInstrumentation

It should be easy to do a comparison of DBus interfaces, right?  I guess
you could introspect them, serialize the results, and compare them.  I
don't know how this would work without having to introspect both pieces
of code you are testing.

5. Sandboxing APIs

   In a sandboxed environment app code doesn't have access to most of
   the host system. However, apps still need some ways to securely
   access various services (like users files, hw, host services, etc).
   We need to define these APIs, and whatever security layer protects
   against their misuse.


Does anyone have ideas for how to sandbox a traditional app so as to
restrict its access to files, DBus onto other processes, etc. - even if
the app doesn't work at first?  I'd like to see where things start
failing and then seeing how to open up those bits via DBus interfaces,
rather than taking an everything-open application and closing it down.

  Federico

Follow-Ups:
- Re: Sandboxed Gnome apps
  - From: Alexander Larsson

References:
- Sandboxed Gnome apps
  - From: Alexander Larsson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]