Comment by guappa 20 hours ago
Firejail and apparmor have existed for years. If you don't use them maybe it's your fault?
Also the very same npm backdoors have already hit android apps. What can sandboxing do if you backdoor a dependency of your banking app?
It’s always felt strange that Linux desktops try to make sandboxing and permissions the responsibility of packaging standards. That strikes me as much more of a system level thing like audio or display output.
How so? I'm writing this from an Fedora Sericea, which is Silverblue but with Sway instead of GNOME. Atomic Fedoras solve only package hysteresis (your package manager being unable to reproduce the intended system state because of unaccounted for changes) by generating the root file system with OSTree. It has nothing to do with sandboxing the applications themselves.
Pretty sure Fedora, being based on Red Hat, has the strongest SELinux policy in place by default, and SELinux is pretty much the best sandboxing option available other than actual virtualization.
Server software is usually compartmentalized in uid:s but desktop software seldom is, if ever. Package managers and maintainers could do a lot here to make it easier. Some things long time Linux users like to do, like running Firefox as a separate user, is still a much more involved process than it should be.
A lot of it is probably standards and culture work, like where a user can expect to store files and have them readable by Firefox in this example. So perhaps this is something the GNOME/Freedesktop people could have been interested in and made a difference? Instead we have things like Flatpak, which is good but not the lowest hanging fruit here.
To be fair, if firefox had the intelligence to know that it was being asked to attach a file it didn't have access to, it could prompt for a password. I don't expect full TRAMP like smarts from Emacs, but I don't see why this wouldn't be doable?
Granted, I'm viewing this as far easier than the sandbox "fake file system" approach? Firefox would be able to see the file exists, most likely, but just not have read rights to it. Yes, you can have some things it can't list, but I would expect that to be low on probability to want to attach to an email?
For user-facing stuff, I agree it's hard because of the challenge of managing access to data (and I would argue no system does this well, Android has a different set of failure modes, and I've not used QubesOS but presumably it has it's own issues as well), but in the top-level comment, the concern was around using pip/npm, which to me is almost a solved problem if you care enough and are willing to put the effort (and money) in.
It's also not like Linux is any different with respect to installing random PyPI/npm packages on any other desktop/laptop OS (https://xkcd.com/1200/), so I'm not sure anything desktop Linux does here would change the fact that installing random software from the internet may be a bad idea sometimes ;)
Sandboxing should be built in and by default, not DIY and glued on, like with apparmor and firejail.
"Your car does not come with a seatbelt? Seatbelt parts are easy to order online and assembled on any car, it's your fault for not using one."
> Also the very same npm backdoors have already hit android apps. What can sandboxing do if you backdoor a dependency of your banking app?
The whole point of sandboxing is that one compromised app can not compromise the whole system and other apps. Compromised dependency on my banking app on Android or iOS only compromises that banking app and nothing else.