This is highly unpopular here, but I think we need something like the iOS/Android permission system on the desktop. Windows Metro apps do this, but they are highly maligned here.
I should be able to install a transcoding app like Handbrake without giving it all the keys to the kingdom and allowing it to do whatever it pleases.
This is highly unpopular here, but I think we need something like the iOS/Android permission system on the desktop. Windows Metro apps do this, but they are highly maligned here.
I expect it’s the walled garden strategy that is unpopular with a techie crowd, not the idea that an OS should have more nuanced permissions than (to a first approximation) “any installer is either crippled or root”.
A lot of us have been concerned about the very coarse security model in mainstream OSes for decades, but there’s a huge amount of momentum behind the Windows, macOS and Linux ecosystems now. Any new platform with a fundamentally better security and application management system would have the usual chicken-and-egg problem in terms of users and software base, and without something else to drive it (such as inventing a whole new type of device with Android and iOS on smartphones) that’s a tough barrier to get over.
I think this is what Flatpak is trying to solve - each application is run in its own sandbox and requests its own priviledges in a manifest file.
It is currently in a pretty early stage of development, but it's usable and looks pretty great. Maybe this time creating a new package manager will make the package manager wars on Linux quieter :)
The problem is that both AppArmor and SELinux[1] run applications unconfined by default.
Also, sandboxing GUI applications is more work than just slapping AppArmor or SELinux on top. First, users still expect to be able to open arbitrary files from their home directory (which would then be added on a case-by-case basis to the application's sandbox). Second, X11 does not provide UI isolation, so a sandboxed application can still read all keystrokes (and thus credentials). The Flatpak people realize this and are working towards the goal of eventually sandboxing GUI applications (on top of Wayland).
Apple actually nailed this pretty well. All applications in the App Store are sandboxed. If you open a file in such an application, the 'Open'-dialog runs out of process and links the opened file in the application's sandbox.
Unfortunately, there has been quite an organized campaign by a subset of macOS app developers to discredit the App store and especially sandboxing. Sure, it would be nice if macOS supported more fine-grained permissions and Apple has been slacking there. But for the end-user sandboxed App Store applications are much more secure than downloading unsandboxed applications from random developer sites. As this and previous incidents have shown.
I know essentially nothing of the windows system API, but it would have to be implemented at that level.
The Microsoft hate would suggest they are restricting the permission system to Metro to encourage development to move towards Metro. It could also be that the underlying metro API is much easier to build a permission system for than the old windows one.
From what I've read though, these kinds of permission systems tend to only be a barrier. Sandboxes seem to always have some exploits. It would certainly be an improvement though.
With regards to file-systems, a simple linux based file-ownership model would do essentially the same.
Windows already supports sandboxing old api applications, through something called AppContainer:
> Isolation is the primary goal of an AppContainer execution environment. By isolating an application from unneeded resources and other applications, opportunities for malicious manipulation are minimized. Granting access based upon least-privilege prevents applications and users from accessing resources beyond their rights.
I'm not sure why this is not really used. Maybe requires some recoding from the original developer, maybe it's too inconvenient and creates frustration for users.
Even with file systems permissions, there are a lot of problems. For example, a transcoding app like Handbrake should be allowed access to users files, but ideally it would only be able to access VIDEO files. Any attempt at reading any other kind of file (source code, text files, password stores) should be forbidden. This requires a very expressive permissioning system.