https://bugzilla.novell.com/show_bug.cgi?id=308760 Summary: Sandbox templates Product: openSUSE 10.3 Version: Beta 3 Platform: Other OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: lyeoh@inter-touch.com QAContact: qa@suse.de Found By: Other The current "state of the art" security for Desktop Environment requires users to solve the equivalent of the "halting problem" e.g. will browsing this website/opening this email turn my machine into a worm infested zombie? How could anyone really figure it out? Apparmor is not bad, in my opinion it's not really desktop ready. What would be good would be something I call "sandbox templates". While there are thousands of apps, I believe there a far fewer categories of common/popular apps in terms of the permissions and privileges they require. So have a few preset sandbox templates (browser, email, guest game, etc). Then if an attempt is made to execute an untrusted application, the app would specify a template or a default safe minimally privileged one is picked, and the user gets a prompt like "Random Game Someone Emailed" requests "Temporary/Guest Game Privileges"- Allow? Yes/No/Yes and always/More... And "Guest Game Privileges" would provide temp storage (that's just for that app), sound access, windowed graphics (to always have a border - so you know whether it really exited or not guess why ;) ), no network access, no access to "My Documents", no access to microphone (eavesdropping). Then even if the "game" tried to do something strange the O/S will prevent it. For example if a "email game" requested "Full System Install Privileges" (with the associated big exclamation marks, and big red warnings, requirement of Admin password etc), I'm sure you can easily train your "Aunt May" to not ever click Yes to such stuff. Also if a browser tried to access the user's Documents whether due to a bug or it not really being a browser, it should fail to do so. A browser should only be able to save downloads to its downloads directory - you could have a symlink to it from /home/user/sharedfiles/, and read/write to its own assigned directories. Trusted apps (either signed, or user said "Yes Always") will run using the respective privileges without prompting. What I'm asking for is hard (there are lots of details to get right), but it's still easier than guessing what a random binary or perl script would do ;). It'll definitely be a lot better than Vista UAC ;). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.