(Open to discussion) Filesystem sandbox system
Filesystem sandbox is very important to avoid data attacks/leaks and user-space rootkits, each process has its own namespace with schemes (use ls :
to verify the current namespace).
The best security model is to let the user decide which folders/files some program can access (like recent Android versions), it can be done in two ways:
- When the user open a new program, the windowing system will ask which folders/files the program can access (similar to the xdg-portal window for file selection on XDG-compatible programs).
- The user can specify which folders/files some program can access using a TOML configuration (GUI/terminal).
Terminal
In most cases the folders/files on terminal programs are specified on the command, thus it's a form of permission.
But the attacker can install an user-space rootkit using commands or a script, to mitigate this a permission prompt could be implemented for file operations on the terminal.
Implementation
This will be done with scheme filters, the process can use a directory scheme (home:
for /home
) or the file:
scheme directly.
Example:
home:path/to/folder
file:/path/to/folder