Confinement / Sandboxes



  • Hi,
    Can someone write a short abstract about confinement / sandboxes (don't know which term is the better) please ?
    I've seen some concepts like apparmor, snaps, lxc, docker, firejail ... but only used apparmor as it was included in my legacy BQ E5 UT edition (AFAIK), and without modifying the policies.
    If I involve in app testing, I'll surely need such a solution and know how to modify parameters.
    What is the futur for Linux distros and then, for UBports, specially for Legacy Devices ?

    Thanks in advance
    Pulsar33



  • @pulsar33 there's no legacy devices anymore. Now is Core Devices and Community Devices. See http://ubuntu-touch.io/devices

    For all your other questions, I don't want to sound rude but it'll be better if you use your favorite search engine and learn step by step.



  • Thank you for the answer. Just two precisions :

    • I say Legacy because I have a Legacy phone at this time. The lists on UBports site and FAQ were not consistent in the past few days as already said here and there. Maybe it's better explained now ?

    • Using my search engine before posting, I've found a lot of information about what I mentionned (apparmor, snaps, lxc, docker, firejail ...). They all seem to work and want to be THE solution. I was just asking for the feeling of developpers (whose I'm not at this time but who knows in the futur ?...). You certainly have information about what will grow and what will die, haven't you ?

    It was just a simple question expecting a simple answer.
    Best regards. Pulsar33



  • @pulsar33 you're right about the first point, there should be more coherence between https://ubports.com/ and http://ubuntu-touch.io/ but as you know this is a work done by volunteers only, so is always a work in progress.

    About your second point, no, that's not a simple question looking for a simple answer because you're mixing apples with oranges.

    I'm not a developer, I don't have inside secret information. I'm just a user like you. And no, I don't have "certainly information about what will grow and what will die".

    But using a search engine I can see that:

    • apparmor is "a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles"
    • Snaps are "containerised software packages that are simple to create and install. They auto-update and are safe to run. And because they bundle their dependencies, they work on all major Linux systems without modification".
    • LXC "is an operating-system-level virtualization method for running multiple isolated Linux systems (containers) on a control host using a single Linux kernel".
    • Docker "is a computer program that performs operating-system-level virtualization also known as containerization".
    • Firejail "is a sandboxing utility that allows you to run un-trusted applications within Linux in an environment that has restricted privileges".

    Hope that helps.
    Best Regards.



  • @advocatux : From my point of view and as your list shows, I'm (maybe) just mixing apples with different colors. Only Snap seems apart but snapcraft.io says :
    Not only are snaps kept separate, their data is kept separate too. Snaps communicate with each other only in ways that you approve.

    All these concepts have in mind the Confinement (or Sandboxing) of applications in order to increase your usage safety. Linux is said to be safe because the system software is reviewed by many people and because you must grant manually the access to important files. But it seems that people found necessary to add more means to control the application behaviour and this is exactly my feeling.

    For example, I'm very strict about network access and sorry that many applications claim for this capability saying "I just want to count my users and check if there's updates". If this application as no other reason to connect to the network, either I don't use it or I find a way to use it without network connectivity.

    Firejail does that exactly and more ! It is the one that seems to me the easiest to use. It has the widest and finest capabilities management. I use it on a Linux Mint station and love it. However is it the good choice for the futur ? Will it be available on UBports or will apparmor be the only choice ?

    I heard that one reason for Canonical to give up UT was that the phones were unable to run snappy applications and they wanted to quit apparmor for snaps. I'm not sure of what I say. Maybe it's just a misunderstanding because english is not (as you can see) my mother langage.

    All this make me asking about the better choice for the futur, as said above.

    Good evening
    Pulsar33



  • My knowledge on this topic is also very limited but I try to share my impressions. Lets take docker for example, which I suspect to be very popular and widely used (also in non Linux projects). As already mentioned above, security is not the only reason for some of those technologies. Another big advantage is the well defined environment they provide. So you can use them for cross compiling, for scaling (web) services dynamically (just deploy the docker containing your agent to some additional machines on demand), for testing (having different versions of the environment your app runs in, as well as having clean starting points for your tests), for deploying software (to ensure your app is more or less independent from changes to the core system or other apps). Yes and I too think its really more like apples and oranges... ;) so docker is not a package managing system, which snap is in the first place, and the confinement is actually done by apparmor... If I understood this right. And where docker is doing some kind of userspace virtualization (different colors available ;)) lxc seems to do this for the kernel side...



  • Hello,

    @advocatux said in Confinement / Sandboxes: > I'm not a developer, ...

    @hummlbach said in Confinement / Sandboxes: > My knowledge on this topic is also very limited but ...

    Thank you for your replies, however is there some specialists or developpers here to have an idea of the futur, please ?
    Under MINT18.3, I'm using Firejail who does exactly what I think usefull and easy to manage. Is there a chance to have it under UBports ? (or what is the best alternative ?)

    Good evening
    Pulsar33


  • Community

    Ubuntu Touch's confinement model means that you already have what you want. If you install confined apps, you have the following guarantees:

    • Apps may only access their own data in ~/.cache and ~/.config unless they have specified it in their AppArmor config. For example, the camera app has permissions to "Picture files" and "Video files".
    • Apps may only access hardware if they specifically request access or have it specified in their AppArmor config.

    The only way to access files outside of the restricted permissions for documents, videos, and picture files is to go through ContentHub. That's the system where an app asks you to select a file from another app which has access. In essence, you need to give an app the files it wants.

    This system is completely different than almost anything found on any Linux distribution at this point (minus Android, which the system is partially modeled after). It is also very upsetting to many Linux desktop developers for this reason.



  • Hello,

    @unisuperbox said in Confinement / Sandboxes: > Ubuntu Touch's confinement model means that you already have what you want.

    @pulsar33 said in Confinement / Sandboxes: > only used apparmor as it was included in my legacy BQ E5 UT edition (AFAIK), and without modifying the policies.

    Thank you for your answer. So if I understand, we definitely have to deal with apparmor which has no GUI and no easy management mean. With my BQ E5 UT, I use Permy (Jamie Strandboge) to look at the permissions of the installed apps. Unfortunately, this application is not available on OpenStore. Moreover, this application was only a viewer and the permission syntax is not so easy to manage.

    Following your answer, I'll try to improve my understanding and mainly investigate about the permission granularity. I think that two main goals are to be reached when managing security for a newly installed application :

    • Fine whitelisting and blacklisting parts of the filesystem
    • Fine granting or denying network access on an application basis

    When I say "Fine" I speak of granularity. I don't know if fine is the right term in english. For example, if I want to install Sensor Status, I have to grant "Networking" for that app. Why ???. I don't want to do so. This is a huge example but there's some finest cases where maybe I'll want to grant local network access but no wide network access, and so on ...

    It would be nice for me to clone Permy which has no recent update but at this time, I'm starting the programming course and I'm not fully operational :o))

    Permy snapshot

    Other feelings and advices are welcome
    Best regards
    Pulsar33


Log in to reply
 

Looks like your connection to UBports Forum was lost, please wait while we try to reconnect.