Request For Candidates: Application Review Board

Scott Kitterman ubuntu at kitterman.com
Thu Aug 26 16:11:43 BST 2010 

On Thursday, August 26, 2010 10:59:43 am Marc Deslauriers wrote:
> On Thu, 2010-08-26 at 15:53 +0200, Martin Pitt wrote:
> > Scott Kitterman [2010-08-26  8:58 -0400]:
> > > I think that not using maintainer scripts, installing to /opt, running
> > > as the user are good steps to support the traditional *nix security
> > > paradigm of protecting the systems/root, but for this to lead to a
> > > truly lightweight system, we will need to kick it up a level and also
> > > protect user level data from such applications unless they are
> > > authorized to have access to it.
> > 
> > This sounds a lot like the guest session to me. Perhaps we can recycle
> > its AppArmor confinement for this?
> 
> While I really like the idea of trying to sandbox applications, this may
> not be the best approach for an app store. This is all about trust. You
> can't gain trust by using technical means to restrict what an
> application can do.
> 
> App stores that are on the iPhone and Android devices don't let
> anonymous people upload applications. The store owner knows _who_ the
> application authors are by signing legal contracts with them, and
> obtaining their legal personal information and/or credit card numbers.
> Application users can flag applications as being malicious, the store
> owner can ban malicious publishers, and remotely uninstall malicious
> applications. _That_ is the trust that is put in the store owner by the
> user.
> 
> Of course, this doesn't totally prevent malicious applications, but it's
> a _lot_ safer and easier to control than trying to sandbox every app on
> a general-purpose operating system.

We aren't talking about every app, but a subset of apps in a new class of 
applications that we want to be able to treat differently.

> Installing an application with user privileges is a bad idea.
> Application software should not be vulnerable to tampering, either
> accidentally by the user himself, or by malware running in the user's
> security context. This will make the apps installed via the app store
> unreliable and susceptible to be trojaned. One of the reason that Linux
> is more reliable than other operating systems, is that a user can only
> muck up his own directory. Let's not mess this up by using security as a
> pretext.

Part of the goal of sandboxing this class of application is to make sure that 
the worst thing it can do is explode itself.  I would also like it if the 
sandbox could enforce access rights to data and services so that if the app 
store describes the data and services the application uses, the end user can 
have confidence that is all it is using.  

I suspect this would drive is to some kind of VM oriented solution (if only 
Canonical had recently hired someone with experience in that area it would 
have been nice) and not just apparmor profiling, but I think we need to define 
requirements before we go too far into implementation details.

Scott K

More information about the ubuntu-devel mailing list