Mobile security, proof-of-concept.
Tom Zander
tom at flowee.org
Tue May 25 13:59:31 BST 2021
On vrijdag 21 mei 2021 12:36:49 CEST David Edmundson wrote:
> I think it is important, and it's good to have some interest in
> this topic.
> Containers might not be simple, but you're only describing the
> need for namespaces, which is quite far from the same thing.
> Namespaces are very simple at a userspace level. If you're
> already launching everything through a spawning process,
> calling setns isn't much harder than seteuid, but with more
> flexibility.
You were right, this is indeed pretty neat.
Took me a bit of effort to find a good example to show how this
works, but i did (unshare.c) and I reworked the runner to isolate
a process in the PID, mount and IPC namespaces.
I'm looking at the Anglefish on my pinephone that is running just
fine in this jail.
> My initial reaction is that you're absolutely right that given
> we control the stack on plasma-mobile and expectations are
> different we should have a dedicated app launcher that boxes
> things a bit more than it does now.
My thinking goes that apps should be isolated so they can't kill
other apps, or even see other apps, same with IPC and they should
not be able to read your homedir etc.
And this is all quite easy, a generic config would work for most.
But what this quickly gives rise to is the need for a data-store
where for each app some more restrictions can be set.
When we want to disallow an application accessing the Internet,
or disallow it accessing a shared dir and all those settings that
all the other platforms have for security and privacy, at that
point we need a nice GUI and a special runner that safely runs
this data.
Most of these steps are pretty trivial, its just calling libc
methods.
I understand the idea of "just wrap bubblewrap", but that feels
like we are giving much more credit to the app then it deserves.
The amount of LOC I need to duplicate the basics is just a
handful.
I'm happy to play with this a bit more. I'm very happy to have
put in the time to make this namespaces based, which has the same
security without any of the problems.
Tl;dr
the example repo has been updated to use namespaces instead of a
different user. Integration is much simpler (no problems, really)
and I think its a great way forward towards a secure Plasma
Mobile.
More information about the Plasma-mobile
mailing list