|
Hi,
I've discussed with a few people recently on IRC about providing file previews in my sandbox-traversing File Choosers or in Allan's new Content Selection Dialogs, and also about running untrusted thumbnailers for use in Nautilus. I'm curious whether the
file preview back-end could reuse thumbnailers and if custom file preview functions could be entirely replaced with standalone thumbnailer executables.
In an OS with sandboxed apps, one would really want to also sandbox thumbnailers: they run with the desktop environment's privileges and could potentially steal every file they're given (or more). I've had a quick glimpse at the GNOME Thumbnailer and it
seems very easy to sandbox it. Instead of directly launching the untrusted thumbnailer, you'd give its path as a parameter to a generic Sandboxed Worker.
The worker could be a well-known D-Bus name or user systemd service that sets up a Docker/LXC container, makes a read-only bind of the input file's path and a write-only bind to the output file's path. It could have a switch just like systemd services
to remove networking, and possibly start with very a limited system interface (using seccomp2, with options to allow extra syscalls depending on the worker's task).
There probably are other places where such workers could be implemented and there could be a high-level API for them. It's also possible to implement sandboxed workers that process a function inside a piece of code rather than a different executable --
using tools like Capsicum and Wedge. I'm a bit less enthusiastic about these because if they get broken, it's harder to provide an alternative. A LXC container could be hardened more easily, in my opinion. In any case the API I have in mind should abstract
away the method of sandboxing and just expose a single entry point and a signal to notify the worker is done. The idea behind this is to allow changing the sandboxing back-end without needing to update clients - in case of a security breach in the currently
used back-end.
Thanks,
--
Steve Dodier-Lazaro PhD student in Information Security University College London Dept. of Computer Science Malet Place Engineering, 6.07 Gower Street, London WC1E 6BT OpenPGP : 1B6B1670 |