-
-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sandbox "privileges" file #5
Comments
Another approach would be the use of portals. |
Portals aren't good enough. For example, you may need to:
|
Portals have a major problem : they force developers to modify their application just for AppImages (this is useless for .deb or .rpm packages, and on Windows and macOS), which is problematic especially for cross-platform applications. Firejail uses a profile database. It however means that a completely new application won't work until its profile is added to the Firejail database. And completely unsupported apps won't work in sandbox without requiring the user to make custom profiles. Personally, I would use the same approach as macOS : there is one default profile for every AppImages, and app developers can specify a "privilege" file in their package if their app needs more permissions. This allows developers to support AppImage sandboxing without modifying its codebase, and keeps sandboxing easy and transparent for the user. |
Since this was bumped I recommend you use aisap if you want to sanbox appimages: https://github.com/mgord9518/aisap It has a internal database of appimages. And also has levels of permissions Also in AM we expanded it further, by default all appimages get level2 sandbox and access to respective directory in |
In any cases, it will be necessary that the user might override some or all of the permissions (althoug this feature does not need to be a part of AppImage itself; it can be handled by separate programs). (It would be helpful to also allow the user to substitute I/O; while stdin/stdout does a part of that, it won't do everything, e.g. a program might request camera access but you will want to grant permission to read a video file instead, or to read the output of a different program that applies effects to the picture received from the camera. This also does not need to be a part of AppImage, and should be done by other parts of the oeprating system.) Additionally, it might sometimes make sense to allow priviliegs to be grouped together (and allow the definitions of the groups to be altered by system administrators, or sometimes by other things too such as environment variables), e.g. a program that uses SDL can specify its use of the "SDL1(video,audio)" privilege group, to indicate that it uses SDL1 with the video and audio subsystems; the author of a program will not have to worry about how exactly that maps to the privileges that SDL1 uses on the target computer. (Another example would be X vs Wayland in versions of SDL that support both.) The "aisap" permission levels are similar than the grouping that I mentioned above, although it is a simpler way which does not consider that the definitions of such groups may sometimes need to be changed according to circumstances. In addition, my comment on July 16 mentions additional considerations which may be required for some programs (my "Free Hero Mesh" software requires all five of those considerations). It is helpful for AppImage files to be able to optionally include a sandbox permissions file, so that the user can know which permissions are required when using other programs to implement the sandbox. |
The way I envision it:
|
What should be in a hypothetical
|
Aisap also accepts individual permissions from a config file. We don't use it in AM though, since the sandbox script that gets put in PATH can already be modified to add/remove permissions. Also the
It means that you can request a specific sandbox level from |
If a "privilege" file is added, it shouldn't use the format of any existing sandbox privilege file, to not give the priority to that sandbox. I think that sandbox software should also see if the AppImage is signed, and if it isn't it should show a warning when it asks the users to agree the permissions of the app. Furthermore, it should also look for "dangerous" permissions, eg. read-write access to the full filesystem, and warn the user for them. |
After thinking for a while, I propose the following :
If the profile found was never used, a dialog should be shown to the user, who can then allow or deny specific permission (instead of saying I agree to all or I can't use sandbox). In addition to that, if the system detects a "dangerous" permission (e.g. read-write access to the full filesystem), a warning is put on that dialog. If the used profile is modified, then the system only shows the new permissions, if there are none the new profile is automatically used. One thing that could be added is the ability to specify if the permission is required or optional. By "system" I mean any wrapper around the execution of an AppImage. |
As briefly discussed here. It would be nice if we could have a file that defines which "privileges" an AppImage needs when running in a sandbox.
For example:
Similar to how Android and iOS ask for the users permission when an app is trying to do something like "Access the Camera" or "Access Contacts".
The text was updated successfully, but these errors were encountered: