It's really nice to see that happening, but every time I raised the subject with the Gnome team to see how we could run VLC in it, it's a no-go.
Indeed, for a complete media player, I need:
- access to files not directly opened by the user (playlists, MKV, DCP, MXF),
- access (and unique probably) to raw devices read-only (DVD, AudioCD, Blu-Rays, webcams-v4l2, SDI, DVB),
- direct access to raw audio output,
- access to X11 for YUV output, or at least a direct OpenGL context,
- access to network.
For access to files and network, there seemed to be a solution with a manifest to get $home access; for audio, a solution might come with kdbus and pulseaudio; but for the others, they refuse blankly, saying that my "use case is irrelevant and dangerous".
I hope this will evolve (maybe it already has), but so far, it's a bit hard to make a complete media player, tbh.
It all depends on what your goal is. Allowing to run VLC as a bundle with more or less full access is certainly possible. However, that is not really "sandboxed" in any fashion.
For instance, once any client has any kind of X11 access they can snope any kind of keyboard events, including your password at the unlock screen.
If we want to support the full functionallity for a media player in a sandboxed way we need to start looking into each requirement and designing a safe way to access each item. This is gonna be a lot of work, but I don't see any way around that.
For your exact list:
Files access can either be granted to the app fully or partially. But we also want some kind of file selector service that runs in the session (outside the sandbox) that grants some kind of access to files the user chose.
Raw device access will not happen by just having the app open the raw device nodes. Instead we'll have some kind of service in the session that (via user interaction or "remembered" grants from the user) virtualizes access to these things. This could be all from e.g. passing a file descriptor of the opened dvd device to a complete replacement of the subsystem. For an example of the later, for webcams see the pulse-video project: https://github.com/wmanley/pulsevideo
Is raw audio output necessary? Why does not pulseaudio work?
OpenGL access is supported
Network access is (optionally, but i think this will be on for most apps) allowed
Instead of sandboxing the entire app, you should use privilege separation inside VLC. Low-risk code would run in processes with higher privileges, while the high-risk code (e.g. the decoders) would run in highly sandboxed processes and communicate with the privileged processes over a simple interface. This is the approach used by security-conscious server apps (e.g. openssh, postfix, dovecot) as well as Google Chrome, and I think it has more promise than trying to sandbox entire apps. Many apps have complex access requirements (much more than the game used as an example in this blog post) and trying to sandbox them will require granting so much privilege that the sandbox becomes almost meaningless.
I'm currently working on converting a PDF viewer to use privilege separation. I'd love to see a media player use privilege separation too. Does VLC currently have pretty clear separation between its various components? Do you think it be much work to spin security-conscious parts like the decoders into separate processes?
If you want raw access to devices, X11, etc, then it is not so simple. The media players I use talk to Pulseaudio, not directly to audio. Various of your needs go pretty much against sandboxing. It's much easier to focus first on applications instead of these needs. For instance, fully sandboxing and X11 won't work anyway.
It seems pretty impossible to create something which: 1) does sandboxing 2) has no limitations on what an application can do
Edit: What I meant is: Is it possible to lower your requirements or change how VLC works/can do when it is sandboxed?
Note that you are requiring all of this in the same/single app. Instead it could be broken down into multiple compartmentalized apps, each doing one thing with simple permissions, and all cooperating. For example one app could do the raw device access, but have no other access including networking. Another does networking but no local access. Another is the renderer to video and audio. Another does UI etc.
for such security, you should use something like Qubes OS (https://qubes-os.org/) which uses Xen to sandbox apps into different domains (VMs), and keeps the networking stack in a seperate VM, disk storage in a seperate VM, DE in a seperate VM, etc.
With Wayland and dbus and all the techs going into a modern Linux desktop, it is probably very doable to prompt users when a program tries to open a file with a simple "Application X wants to open file Y in location Z, let it? Yes / No / Allow for all contents of Z / Allow All Locations".
That would be a misnomer, because "important" file locations like ~/.config, ~/.share, etc would always prompt user acknowledgement when a program tries to open something in those and it is not the originator program (ie, VLC can open something like ~/.config/vlc or ~/.share/vlc, but if it tried to open ~/.config/mplayer or ~/.share/mplayer you would get a prompt notification of it.
> access (and unique probably) to raw devices read-only
I don't think this is hard at all, device permissions are something that mostly already works. Just say "App X wants to access device Y, allow? Yes / No / Always".
With good package management and distributors, you could have most of these "prompts" configured with sane defaults so you don't get spam when VLC opens files - the distro can just trust VLC in ~/Music and ~/Video all the time, and any user made directories, so just give it access everywhere except the config and share dirs, so on and so forth. When you install something it would make sense to tell users what it uses in the same way Android does upon installation, and if it tries to access something post-install you get a dialog about it (ie, VLC could say at install it uses the network, or it could ask at runtime if it tries to access the network).
Why would VLC need raw audio out? Route through pulseaudio, nobody should be opening raw audio devices anymore unless you are Ardour.
I think the real problem is nobody gives a shit about desktop security. I mean I run Archlinux where there isn't a single working MAC solution that does not require days of prep work. But having delved a lot into Mac and such, I have no faith in Apparmor or SELinux when PAX and Grsec is doing a much better job and nobody is using it. And they all have holes somewhere, either they don't have fine grained device permissions, or lack tunables, or don't harden the kernel enough to avoid simple exploits. Its a mess nobody is really trying to solve upstream of security implementations and distros are doing a half assed job about it across the board.
what's wrong with having a service layer that isn't sandboxed, and an application layer that is?
What's stopping you from running your filesystem and network requests through a local service... you can sandbox all the rendering and other access, and tighten controls on your service interface.
Why would you want to sandbox an open source program like VLC? This sort of thing is mostly useful to allow the running of proprietary binaries that could be hostile in some way. You are not going to care that much if you can trust a program not to attack other programs.
The future is here! Maybe the lack of a heavily regulated, but ultimately non-curated aggregation of low quality application that safely do nothing has been holding back Linux on the desktop all these years.
P.S.: systemd now allows logging in via your Facebook account on every machine, per default since Ubuntu Timid Tamandu!
In the light of the NSA hacking revelations, we should recognize that the systems we're using are fundamentally insecure. With Linux, we should be able to improve security while maintaining user control. I think this is a step in the right direction.
I am not sure why Linux people tend to think this is bad. It is how you ship robust software that doesn't break. Linux "solves" this issue by having all kinds of things break all the time and just accepting that breakage and saying "no really things usually work fine".
In my understanding you can just (read-only) bind-mount the necessary libraries into the sandbox, ship your own, or do a combination of the former two.
The title is a bit hyperbolic, true. There have been various ways to try to contain desktop apps over the years. But I wouldn't call them "apps" really, they may get the sandboxing aspects down, but they don't have the simple-to-install, well-integrated behaviour that you'd want for something like an "app" system. Most of them basically run the app in its own VNC or Xserver instance, with zero interaction with the rest of the session.
This is actually quite similar to using LXC containers to run GUI apps. Something like Wine would be a good candidate to run in a container, perhaps others too. And you can use both privileged and unprivileged containers for this.
It works very well but I can't release it yet because there's an underlying problem and the author of this article pointed it out very clearly:
> because X11 is impossible to secure
So imagine the scenario: You want to have a single server that hosts desktop environments for multiple users over the web. X11 is multi-user! No problem, right? Wrong.
Your little web server daemon is going to run as some user. Let's say that user is root to keep things simple. So now your root user needs to spin up an X11 server for each user (so their sessions are separate). But that won't work so well because the X11 servers will all be running as the same user (root). This means that each user can mess with each other's applications, log their keystrokes, etc.
So what do you do? Well, you can just create random, one-time user accounts in /etc/passwd and spin up X11 using those accounts but now your little daemon has to run as root. Also, you now have to keep track of and maintain not just all those temporary users but all the files owned by those users. You also need to keep track of which user had what account and when (for auditing purposes). You also have to worry about UID conflicts (especially with external systems) and some other less common scenarios (e.g. LDAP integration with sudo).
Another option would be to give each user their own container and run X11 inside of that. Except now the application can't get access to OpenGL acceleration and shared memory access (so your little deamon can capture the screen) becomes complicated. Then there's the fact that if you want to give the users access to more applications those applications will need to be installed inside each user's container. You can do some tricks with mounts in order to work around that problem somewhat but it's complicated. REALLY complicated!
For now I've decided to just assume the daemon will be running as a single user (doesn't matter which one) while I work on some other things (e.g. improving audio support) but very soon I'm going to have to come back to the multi-user security problem. It's not easy to solve.
The way X11 was engineered just assumes that each user has their own processes and if you do have multiple users all their applications will be running under different accounts.
I have mixed feelings on the idea of sandboxed apps.
On the one hand, I want to be able to run untrusted applications safely. And in a larger sense, I think that it might be a hopeless endeavor to try to get users to only run trustworthy applications on their machines.
On the other hand, I want to have full access to my system, and sometimes that means having full access to it through applications (jbk's VLC use case is a good example of that). And sandboxes are far from perfect (this may improve, but right now existing sandboxes still have lots of holes). Sandboxes may be just security theater at this point (although as I said, this might change).
>> we have to use Wayland instead of X11, because X11 is impossible to secure.
Yet X11 was designed in the prime example world of a mult-user OS, UNIX. Hmm.
>> We also need to use kdbus to allow desktop integration that is properly filtered at the kernel level.
Didn't I read an article on HN recently talking about a vulnerability in Windows and the subject of too close a relationship between the kernel and the end user graphics came up?
This isn't about isolating users from each other, but isolating different applications running as the same user from each other. X11 (and Unix itself) was not designed to do this.
This program wants to access your camera, mike, //home/personal, connect to irc://botnet.com, and install these dependencies: spyware1, 2, 3 Are you sure you want to install/run [insert innocent program]?
I think that would be an better option then sand-boxing everything.
Is it even possible for the OS to know if a program is using the webcam?
So a seriously limiting concept from mobile/web world is making it into Linux as well? Soon we won't be able to do anything with our computers, but we will be "perfectly safe". Everything I dislike about iOS is now becoming mainstream. Disclaimer - I wrote a book about cryptology including TPM, secure boot loaders, PKI, etc. another one about 3D graphics and am very aware of the issues and trade offs. But sandboxing is a charming but ultimately silly solution that ultimately removes any capability from the hands of users and slows everything down - it already negatively affects graphics performance of browsers (tainted canvas anyone? how long would WebGL shader hack to bypass this work until we are forced to accept 100 pixels/second performance with sandboxing?). There are even rumors that Skylake is going to be slower and more power hungry than Broadwell due to SGX (we will see soon I guess). Is it really worth it?
[+] [-] jbk|11 years ago|reply
Indeed, for a complete media player, I need:
- access to files not directly opened by the user (playlists, MKV, DCP, MXF),
- access (and unique probably) to raw devices read-only (DVD, AudioCD, Blu-Rays, webcams-v4l2, SDI, DVB),
- direct access to raw audio output,
- access to X11 for YUV output, or at least a direct OpenGL context,
- access to network.
For access to files and network, there seemed to be a solution with a manifest to get $home access; for audio, a solution might come with kdbus and pulseaudio; but for the others, they refuse blankly, saying that my "use case is irrelevant and dangerous".
I hope this will evolve (maybe it already has), but so far, it's a bit hard to make a complete media player, tbh.
[+] [-] alexlarsson|11 years ago|reply
For instance, once any client has any kind of X11 access they can snope any kind of keyboard events, including your password at the unlock screen.
If we want to support the full functionallity for a media player in a sandboxed way we need to start looking into each requirement and designing a safe way to access each item. This is gonna be a lot of work, but I don't see any way around that.
For your exact list:
Files access can either be granted to the app fully or partially. But we also want some kind of file selector service that runs in the session (outside the sandbox) that grants some kind of access to files the user chose.
Raw device access will not happen by just having the app open the raw device nodes. Instead we'll have some kind of service in the session that (via user interaction or "remembered" grants from the user) virtualizes access to these things. This could be all from e.g. passing a file descriptor of the opened dvd device to a complete replacement of the subsystem. For an example of the later, for webcams see the pulse-video project: https://github.com/wmanley/pulsevideo
Is raw audio output necessary? Why does not pulseaudio work?
OpenGL access is supported
Network access is (optionally, but i think this will be on for most apps) allowed
[+] [-] agwa|11 years ago|reply
I'm currently working on converting a PDF viewer to use privilege separation. I'd love to see a media player use privilege separation too. Does VLC currently have pretty clear separation between its various components? Do you think it be much work to spin security-conscious parts like the decoders into separate processes?
[+] [-] bkor|11 years ago|reply
It seems pretty impossible to create something which: 1) does sandboxing 2) has no limitations on what an application can do
Edit: What I meant is: Is it possible to lower your requirements or change how VLC works/can do when it is sandboxed?
[+] [-] rogerbinns|11 years ago|reply
[+] [-] em3rgent0rdr|11 years ago|reply
[+] [-] zanny|11 years ago|reply
That would be a misnomer, because "important" file locations like ~/.config, ~/.share, etc would always prompt user acknowledgement when a program tries to open something in those and it is not the originator program (ie, VLC can open something like ~/.config/vlc or ~/.share/vlc, but if it tried to open ~/.config/mplayer or ~/.share/mplayer you would get a prompt notification of it.
> access (and unique probably) to raw devices read-only
I don't think this is hard at all, device permissions are something that mostly already works. Just say "App X wants to access device Y, allow? Yes / No / Always".
With good package management and distributors, you could have most of these "prompts" configured with sane defaults so you don't get spam when VLC opens files - the distro can just trust VLC in ~/Music and ~/Video all the time, and any user made directories, so just give it access everywhere except the config and share dirs, so on and so forth. When you install something it would make sense to tell users what it uses in the same way Android does upon installation, and if it tries to access something post-install you get a dialog about it (ie, VLC could say at install it uses the network, or it could ask at runtime if it tries to access the network).
Why would VLC need raw audio out? Route through pulseaudio, nobody should be opening raw audio devices anymore unless you are Ardour.
I think the real problem is nobody gives a shit about desktop security. I mean I run Archlinux where there isn't a single working MAC solution that does not require days of prep work. But having delved a lot into Mac and such, I have no faith in Apparmor or SELinux when PAX and Grsec is doing a much better job and nobody is using it. And they all have holes somewhere, either they don't have fine grained device permissions, or lack tunables, or don't harden the kernel enough to avoid simple exploits. Its a mess nobody is really trying to solve upstream of security implementations and distros are doing a half assed job about it across the board.
[+] [-] thanksgiving|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] digi_owl|11 years ago|reply
[+] [-] tracker1|11 years ago|reply
What's stopping you from running your filesystem and network requests through a local service... you can sandbox all the rendering and other access, and tighten controls on your service interface.
[+] [-] upofadown|11 years ago|reply
[+] [-] davidgerard|11 years ago|reply
Because it's not like anyone uses media players in the real world.
Seriously, WHAT?
[+] [-] _pmf_|11 years ago|reply
P.S.: systemd now allows logging in via your Facebook account on every machine, per default since Ubuntu Timid Tamandu!
[+] [-] mintplant|11 years ago|reply
[+] [-] compsciphd|11 years ago|reply
https://www.usenix.org/legacy/events/atc10/tech/full_papers/...
which was turned into
https://www.google.com/patents/US8589947
[+] [-] davexunit|11 years ago|reply
[+] [-] jblow|11 years ago|reply
[+] [-] gegenschall|11 years ago|reply
[+] [-] timthelion|11 years ago|reply
[+] [-] alexlarsson|11 years ago|reply
[+] [-] ndesaulniers|11 years ago|reply
* Is independent of the host distribution
* Has no access to any system or user files other than the ones from the runtime and application itself
* Has no access to any hardware devices (GL rendering supported)
* Has restricted network access
* Can’t see any other processes in the system
* Can only get input via standard APIs
* Can only show graphics via DOM/Canvas/WebGL/SVG/MathML
* Can only output audio via Audio Tags/Web Audio/MSE
* plus more sandboxing details
[+] [-] tobbyb|11 years ago|reply
I have a guide on running accelerated GUI apps in both privileged and unprivileged containers: http://www.flockport.com/run-gui-apps-in-lxc-containers and here's one more by Stephane Graber, lead developer of LXC using only unprivileged containers: https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-container...
[+] [-] riskable|11 years ago|reply
http://youtu.be/vca13X1TpIw
It works very well but I can't release it yet because there's an underlying problem and the author of this article pointed it out very clearly:
> because X11 is impossible to secure
So imagine the scenario: You want to have a single server that hosts desktop environments for multiple users over the web. X11 is multi-user! No problem, right? Wrong.
Your little web server daemon is going to run as some user. Let's say that user is root to keep things simple. So now your root user needs to spin up an X11 server for each user (so their sessions are separate). But that won't work so well because the X11 servers will all be running as the same user (root). This means that each user can mess with each other's applications, log their keystrokes, etc.
So what do you do? Well, you can just create random, one-time user accounts in /etc/passwd and spin up X11 using those accounts but now your little daemon has to run as root. Also, you now have to keep track of and maintain not just all those temporary users but all the files owned by those users. You also need to keep track of which user had what account and when (for auditing purposes). You also have to worry about UID conflicts (especially with external systems) and some other less common scenarios (e.g. LDAP integration with sudo).
Another option would be to give each user their own container and run X11 inside of that. Except now the application can't get access to OpenGL acceleration and shared memory access (so your little deamon can capture the screen) becomes complicated. Then there's the fact that if you want to give the users access to more applications those applications will need to be installed inside each user's container. You can do some tricks with mounts in order to work around that problem somewhat but it's complicated. REALLY complicated!
For now I've decided to just assume the daemon will be running as a single user (doesn't matter which one) while I work on some other things (e.g. improving audio support) but very soon I'm going to have to come back to the multi-user security problem. It's not easy to solve.
The way X11 was engineered just assumes that each user has their own processes and if you do have multiple users all their applications will be running under different accounts.
[+] [-] compsciphd|11 years ago|reply
related to what you are trying to do?
[+] [-] copsarebastards|11 years ago|reply
On the one hand, I want to be able to run untrusted applications safely. And in a larger sense, I think that it might be a hopeless endeavor to try to get users to only run trustworthy applications on their machines.
On the other hand, I want to have full access to my system, and sometimes that means having full access to it through applications (jbk's VLC use case is a good example of that). And sandboxes are far from perfect (this may improve, but right now existing sandboxes still have lots of holes). Sandboxes may be just security theater at this point (although as I said, this might change).
[+] [-] diltonm|11 years ago|reply
Yet X11 was designed in the prime example world of a mult-user OS, UNIX. Hmm.
>> We also need to use kdbus to allow desktop integration that is properly filtered at the kernel level.
Didn't I read an article on HN recently talking about a vulnerability in Windows and the subject of too close a relationship between the kernel and the end user graphics came up?
[+] [-] edohyiez|11 years ago|reply
Also, kdbus has nothing to do with graphics.
[+] [-] z3t4|11 years ago|reply
This program wants to access your camera, mike, //home/personal, connect to irc://botnet.com, and install these dependencies: spyware1, 2, 3 Are you sure you want to install/run [insert innocent program]?
I think that would be an better option then sand-boxing everything.
Is it even possible for the OS to know if a program is using the webcam?
[+] [-] bitL|11 years ago|reply
[+] [-] yarrel|11 years ago|reply
[+] [-] ExpiredLink|11 years ago|reply
[+] [-] hitlin37|11 years ago|reply
[+] [-] iso8859-1|11 years ago|reply
[+] [-] alexkudryashkin|11 years ago|reply
[deleted]
[+] [-] ageofwant|11 years ago|reply
[+] [-] grigio|11 years ago|reply
[+] [-] mempko|11 years ago|reply
security will stifle application innovation. Making cool things hard, and awesome things impossible.
[+] [-] edohyiez|11 years ago|reply
[+] [-] zokier|11 years ago|reply