[Apparmor-dev] Sandbox execution templates for security

[Lincoln Yeoh]

Hi,

While Apparmor is a good start and is already useful, I think it is 
still too low level for "Joe Sixpack" or "Aunt May" to use.

Scenarios that they could easily be taught to handle _reasonably_ 
safely would be something like the following:

Assume the user launches "some_game".

Scenario A:
user gets a dialog box with a thick red border:
some_game requests "Administrator" privileges to run. Allow?

Possible options:
  Yes
  No

[ ] Always allow

Button: Advanced>>

<font color="red">WARNING!!!<font> running something with 
"Administrator" privileges could expose your computer and data to 
security problems.

Scenario B
user gets a non-scary dialog box
some_game requests "Guest game" privileges to run. Allow?

Possible options:
  Yes
  No

[ ] Always allow

Button: Advanced>>

Scenario C
user doesn't get a dialog box at all -
i) the program is signed by a trusted authority (either user trusted, 
or O/S vendor ), and if it is requesting a custom sandbox execution 
template, that template is signed by a trusted party, and the certs, 
program and template are not on a blacklist/revoked list (in which 
case a warning/error should appear).
Or
ii) a previous "always allow" applies to the program and sandbox template.

I'm not saying that apparmor should do all this, but rather that it 
might be possible to build something like this on top of Apparmor.

This of course isn't easy to implement. It would likely require 
standardization and deciding of many things - application specific 
directories, application specific temporary directories, different 
directories where files can be shared, network access, audio 
recording/playback access (most stuff shouldn't be able to secretly 
record sound and send it out over the network ;) ), input device 
access, what's allowed to run in fullscreen or windowed, so on and so forth.

And of course a manageable list of standard templates that will fit 
90% of the popular apps (email program, browser, word processor, 
music player, etc), and be understandable/recognizable to "Joe Sixpack".

Still, I suggest that something like this is the way to go. For one, 
it should be easier to figure out whether a sandbox template is 
unsafe than it is to figure out whether a program would misbehave or 
not (which is similar to solving a halting problem ;) ).

Lastly, I'm no expert in UI design or programming. I'm not even sure 
we should call this sandbox template - as it seems to be used by 
wikis. It's a bit similar in philosophy to Design by Contract, but 
execution contract might get the law enforcement people a bit too excited :p.

Regards,
Link.