Mobile security, proof-of-concept.

[Aleix Pol]

On Thu, May 27, 2021 at 12:22 PM Tom <tom at flowee.org> wrote:
>
> On Wednesday, 26 May 2021 14:46:07 CEST David Edmundson wrote:
> > It's certainly where Linux is heading. I've been looking into
> > these quite heavily purely from the POV of resource
> > constraints and tracking rather than security. There's so many
> > other cool possibilities: I especially want network namespaces
> > to track network use per-app.
>
> Oh, indeed.
> That makes so much sense on a phone!
> Being able to only allow an app Wifi access if your mobile plan is
> limited makes a lot of sense too.
>
>
> re kwin;
>
> my thinking is that most of the session-wide stuff can be run
> without any namespace jail. The graphics system, kwin and maybe
> others.
> This means that kwin is in a parent namespace (they are a
> hierarchy, so at the root).
> This is how it currently is in my proof of concept and indeed
> kwin can kill the app but the app can't kill kwin. Or even see
> kwin in the process table.
>
> I'll continue in my gitlab project towards a system that allows
> app isolation and where permissions can be set.
> Access for apps to a common area, access to the SD card, those
> are good ones to start with.
>
> Thank you for the ideas!
>
> And if anyone wants to see what I've been playing with:
> https://gitlab.com/tomzander/securitymanager/-/tree/master

For what it's worth, while you might have mobile in mind, this is
something that should also apply to desktop as there isn't any real
difference, other than on mobile the use of PIM is much more intense
and varied.

Keeping the general use-case in mind can be useful not to dig
ourselves into putting a technology on mobile that doesn't apply to
the general use cases and developers don't target.

Aleix