Mobile security, proof-of-concept.

Tom Zander tom at flowee.org
Tue May 25 13:59:31 BST 2021 

On vrijdag 21 mei 2021 12:36:49 CEST David Edmundson wrote:
> I think it is important, and it's good to have some interest in
> this topic.

> Containers might not be simple, but you're only describing the
> need for namespaces, which is quite far from the same thing.
> Namespaces are very simple at a userspace level. If you're
> already launching everything through a spawning process,
> calling setns isn't much harder than seteuid, but with more
> flexibility.

You were right, this is indeed pretty neat.
Took me a bit of effort to find a good example to show how this 
works, but i did (unshare.c) and I reworked the runner to isolate 
a process in the PID, mount and IPC namespaces.

I'm looking at the Anglefish on my pinephone that is running just 
fine in this jail.

> My initial reaction is that you're absolutely right that given
> we control the stack on plasma-mobile and expectations are
> different we should have a dedicated app launcher that boxes
> things a bit more than it does now.

My thinking goes that apps should be isolated so they can't kill 
other apps, or even see other apps, same with IPC and they should 
not be able to read your homedir etc.

And this is all quite easy, a generic config would work for most.

But what this quickly gives rise to is the need for a data-store 
where for each app some more restrictions can be set.
When we want to disallow an application accessing the Internet, 
or disallow it accessing a shared dir and all those settings that 
all the other platforms have for security and privacy, at that 
point we need a nice GUI and a special runner that safely runs 
this data.

Most of these steps are pretty trivial, its just calling libc 
methods.
I understand the idea of "just wrap bubblewrap", but that feels 
like we are giving much more credit to the app then it deserves. 
The amount of LOC I need to duplicate the basics is just a 
handful.

I'm happy to play with this a bit more. I'm very happy to have 
put in the time to make this namespaces based, which has the same 
security without any of the problems.

Tl;dr
the example repo has been updated to use namespaces instead of a 
different user. Integration is much simpler (no problems, really) 
and I think its a great way forward towards a secure Plasma 
Mobile.

More information about the Plasma-mobile mailing list