← Back to context

Comment by hollerith

4 months ago

Running each app as its own untrusted user is one of the measures taken by Android, but the designers of Android do not consider that enough, so they also sandbox the app with selinux, but no one has implemented sandboxing an app with selinux on any non-Android non-ChromeOS Linux distro.

In general, non-Android non-ChromeOS Linux is not good at this sort of thing: half a dozen sandboxing frameworks exist, but none of them are particularly secure.

Also, suppose you want to load an obscure kernel module that reads an obscure filesystem format. How do you sandbox the module?

4 comments

hollerith

Reply
codedokode  4 months ago

> In general, non-Android non-ChromeOS Linux is not good at this sort of thing: half a dozen sandboxing frameworks exist, but none of them are particularly secure.

There are no frameworks that use secure enclave for this purpose either. It's purpose is copyright protection and preventing user from removing features like advertisement and telemetry, not making your system safer.

> Also, suppose you want to load an obscure kernel module that reads an obscure filesystem format. How do you sandbox the module?

You should use microkernels.

  • hollerith  4 months ago

    In the actual world with the actual options available, rejecting the technology of the secure enclave has significant opportunity costs. In a theoretical reality in which one of the options available to you and I is a secure-enclave-independent microkernel OS on which you can run a mainstream browser, then you might be right that secure enclaves are unnecessary.

    • ndriscoll  4 months ago

      In the actual world, secure enclave is used for DRM, setting user permissions and running untrusted code as another user gets you 80% of the security you need if you don't trust something, and running it in a mostly empty container gets you another 19%. Unless you have a habit of running dubious code that you grant network access and keep up to date to ensure it knows the latest exploits, practically speaking you're fine.

      Of course the obvious solution is don't run malware. Android's need for security partly comes from the fact that the primary repository/store distributes tons of dubious code that it grants network access and keeps up to date. If you stick to e.g. F-droid and turn off automatic updates, you don't find yourself in this adversarial position.

      1 reply →