Comment by hollerith
4 months ago
The false assumption in your argument IMHO is the assumption that none of the software on your device will ever betray you or contain an exploitable security hole. In actuality, it is useful from time to time to be able to run software you cannot completely trust such that the software cannot access all the data on the device (because the untrusted software cannot access your enclave).
That's why you run that software as its own untrusted user and perhaps run it with some kind of sandbox. It's not a reason for you the owner to not have root access at all.
Running each app as its own untrusted user is one of the measures taken by Android, but the designers of Android do not consider that enough, so they also sandbox the app with selinux, but no one has implemented sandboxing an app with selinux on any non-Android non-ChromeOS Linux distro.
In general, non-Android non-ChromeOS Linux is not good at this sort of thing: half a dozen sandboxing frameworks exist, but none of them are particularly secure.
Also, suppose you want to load an obscure kernel module that reads an obscure filesystem format. How do you sandbox the module?
> In general, non-Android non-ChromeOS Linux is not good at this sort of thing: half a dozen sandboxing frameworks exist, but none of them are particularly secure.
There are no frameworks that use secure enclave for this purpose either. It's purpose is copyright protection and preventing user from removing features like advertisement and telemetry, not making your system safer.
> Also, suppose you want to load an obscure kernel module that reads an obscure filesystem format. How do you sandbox the module?
You should use microkernels.
3 replies →