Use cgroups and xattrs on cgroups to authenticate apps

[swick]

Instead of having separate logic for host, flatpak and snap apps, we could use cgroups and xatts on the cgroups to authenticate apps and carry metadata that we need in the portal (and other services).

[smcv]

we could use cgroups and xatts on the cgroups to authenticate apps

Can we tell what cgroup a process is in, in a race-condition-free way that cannot be defeated by causing a carefully-timed pid reuse? (See https://gitlab.freedesktop.org/dbus/dbus/-/issues/108)

Presumably we are assuming that only processes in the trusted computing base will be allowed to move processes between cgroups, create new cgroups, or mark cgroups with metadata. (How) Is that enforced?

Does this mean that putting each app-instance in a new cgroup would be load-bearing, such that Flatpak (and Snap) would need to "fail closed" and refuse to run any app if it cannot first put the process into a suitably marked cgroup? That would give Flatpak a hard dependency on systemd --user and the ability to talk to it - problematic on non-systemd systems (vocal minority of users) or in environments where Flatpak is being run in an environment that doesn't have access to the "real" XDG_RUNTIME_DIR. Is that something we want? At the moment, Flatpak will try to put each app in a new cgroup, but if it is unable to do so, it will carry on anyway.

The other way this could potentially be done, which is likely more secure because it "fails closed" rather than "failing open", would be for host apps to be put in a cgroup (or put themselves into a cgroup if necessary), marked with xattrs that mean: "I am a host app, and you can know this securely because if I wasn't, then I wouldn't have been able to create this cgroup"?