Program sandboxing approach
Created by: DemiMarie
Related: #634 (closed)
This is a proposal for program sandboxing. It is related to #634 (closed).
Linux gives all programs, by default, the full privileges of the invoking user. This is not something that Redox should replicate. A much better approach is the model used by app stores: programs are sandboxed, and cannot access files that don't belong to them without explicit user permission.
I propose to use capability-based security to achieve this. [Capsicum] is a good place to start, except that I propose to use capabilities for the entire OS.
Specifically:
- Each program has a single application directory, per-user. This contains:
- A temporary directory. The program has read/write access to this directory, but it is emptied at system boot.
- A directory containing all (and only) the files that the program was installed with. For programs installed system-wide, this is a symbolic link to a system-wide directory. The program has read-only access to this directory, and can execute files that are marked as executable.
- A directory that contains data files that the program is working on. The program has read/write access to this directory, and it persists across system boots.
- Programs can get access to other files by creating a dialog that allows the user to provide a capability to a user-selected file. Each user has a session manager, which handles this process (by passing a capability).