Public bug reported: While Apparmor is a good start and is already useful, I think it is still too low level for "Joe Sixpack" or "Aunt May" to use.
Scenarios that they could easily be taught to handle _reasonably_ safely would be something like the following: Assume the user launches "some_game". Scenario A: user gets a dialog box with a thick red border: some_game requests "Administrator" privileges to run. Allow? Possible options: Yes No [ ] Always allow Button: Advanced>> <font color="red">WARNING!!!<font> running something with "Administrator" privileges could expose your computer and data to security problems. Scenario B user gets a non-scary dialog box some_game requests "Guest game" privileges to run. Allow? Possible options: Yes No [ ] Always allow Button: Advanced>> Scenario C user doesn't get a dialog box at all - i) the program is signed by a trusted authority (either user trusted, or O/S vendor ), and if it is requesting a custom sandbox execution template, that template is signed by a trusted party, and the certs, program and template are not on a blacklist/revoked list (in which case a warning/error should appear). Or ii) a previous "always allow" applies to the program and sandbox template. I'm not saying that apparmor should do all this, but rather that it might be possible to build something like this on top of Apparmor. This of course isn't easy to implement. It would likely require standardization and deciding of many things - application specific directories, application specific temporary directories, different directories where files can be shared, network access, audio recording/playback access (most stuff shouldn't be able to secretly record sound and send it out over the network ;) ), input device access, what's allowed to run in fullscreen or windowed, so on and so forth. And of course a manageable list of standard templates that will fit 90% of the popular apps (email program, browser, word processor, music player, etc), and be understandable/recognizable to "Joe Sixpack". Still, I suggest that something like this is the way to go. For one, it should be easier to figure out whether a sandbox template is unsafe than it is to figure out whether a program would misbehave or not (which is similar to solving a halting problem ;) ). Lastly, I'm no expert in UI design or programming. I'm not even sure we should call this sandbox template - as it seems to be used by wikis. It's a bit similar in philosophy to Design by Contract, but execution contract might get the law enforcement people a bit too excited :p. Also reported to: http://lists.opensuse.org/opensuse- bugs/2007-09/msg02994.html ** Affects: ubuntu Importance: Undecided Status: New -- sandbox security templates https://bugs.launchpad.net/bugs/156693 You received this bug notification because you are a member of Ubuntu Bugs, which is the bug contact for Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
