Speech Transcript - Sandboxed applications for GNOME

0:00:09	i
0:00:11	i'm going to do talk about ten bucks application for gonna i did pretty much
0:00:16	the same talk already you know major safety of the pen and that one
0:00:21	that's the other talk which might be more interesting
0:00:24	and that's panel with this but anyway we have made little bit of the resistance
0:00:29	gonna major so that's and you stuff
0:00:33	sandbox applications for brno
0:00:37	so let me first introduce a we are
0:00:40	so i'm gonna paddling and i one of the guys to behind system the project
0:00:45	and actually have to more people that that's kind of us and that you cut
0:00:49	and if of course everybody here actually we're pretty much and we all work together
0:00:57	and system you project system the is a little bit like it used to be
0:01:01	just a minute system but grew a little bit and that's perspective what supposed to
0:01:05	be a nowadays this little bit like the basic building block to build an operating
0:01:10	system problem so brings a lot of components are probably not too interesting for deaf
0:01:14	a test on france but it does cover lot of ground that is relevant for
0:01:19	the desktop then
0:01:23	going back to the actual topic this is about the actual applications we think
0:01:29	linux needs a strong way how we can do access
0:01:33	and we believe that much of how that's implementing needs to live in the lower
0:01:37	levels of the stack because we believe that the concepts the basic building blocks but
0:01:42	use there should be kernel things rather than just something that is created user space
0:01:47	right so the isa nation for example for the extra sent boxing part is something
0:01:52	we believe is to be in the lowest level which kernel object and not just
0:01:56	something that is boulder to boulder top and not part of the actual
0:02:05	so only general goal of the system the project it that we want
0:02:11	you know or in the more general case linux do we the modern general-purpose alas
0:02:18	we believe that acts on absolutely crucial part of it i mean nobody use an
0:02:22	operating system for the purpose of using an operating system people use an operating system
0:02:27	because they have to do to achieve something that actually interesting for them so how
0:02:31	do you choose that because you run some apps the do what you want on
0:02:35	the rating system and hands operating system is just the thing that should be there
0:02:39	and work for the apps and the apps environment is actually the most important thing
0:02:44	we probably have enough
0:02:46	so if i talk about by the way i know is be very far to
0:02:50	give any is just with that is sure not that's the down if you have
0:02:53	any questions totally interrupt me right away i would tell you prefer this becomes more
0:02:58	of a discussion and just me talking stuff so you have any questions totally drop
0:03:02	me i love that
0:03:04	so we are talking about apps what actually a wraps so from our perspective from
0:03:09	the coming from the lower levels of the stack apps or sandbox use applications ship
0:03:15	in a single file crap no privileges for execution which table a P R S
0:03:19	and reliability reliable testability so
0:03:24	take this apart sandbox to use application so this is about use applications first of
0:03:29	all so it's not about i don't know running apache on my server because that
0:03:33	a service that will really only talking here in the centre that's of use application
0:03:37	meeting firefox mean game all these
0:03:41	sent boxed mean that there is isolation
0:03:45	of the have towards operating system so that
0:03:50	what we have does cannot be exploited and the attack as cannot get access to
0:03:56	the rest of the operating systems of
0:03:58	so that nothing from the operating system leaks into the apple in the other way
0:04:03	around to that nothing from the apply to the right
0:04:07	ship in a single file or at the something then we are really interested in
0:04:11	so that it becomes easy handling apps because right now on linux have so usually
0:04:17	ship in our P M or something like that and they distribute file all over
0:04:20	the place in the file system
0:04:21	this is not the i don't think that particular useful or friendly way to do
0:04:26	what we want is that people can considered have
0:04:30	and something like and could attach to it to tell you know right so that's
0:04:34	just one file and that's all you need and we'll just work
0:04:38	other operating systems that's have little bit something like that for example macros you have
0:04:43	these you have folders and that case that's or would you feels a little bit
0:04:48	like a file isn't but we actually wanna go for one
0:04:52	at
0:04:53	in one
0:04:55	no privileges articulation which is very important after all this is about user stuff right
0:05:00	so users stuff should not require privileges of all of the operating system to run
0:05:05	this is systematically different from anything like R P M that existed before because and
0:05:10	R P and to install an R P and you need system privileges and in
0:05:17	because R P M's also powerful you can like there's no way to distinguish and
0:05:22	an R P M
0:05:24	well them and package for the matter that interferes was the closest with the operating
0:05:31	system and are him that actually really just a matter
0:05:34	so it is absolutely crucial event no privileges for the installation for the activation
0:05:42	and then the next thing is stable at arts which i think is probably the
0:05:45	most complex thing of them all we in linux are keeping stable at arts i
0:05:51	mean there are different
0:05:53	api surround and some of better than others like for example currently you know it's
0:05:57	usually pretty good it's not perfect but it's pretty like you have a chance of
0:06:01	being able to run stuff that was written against the currently pi for from the
0:06:06	nineties and will still work on the current linux kernels not everything will the best
0:06:11	channel
0:06:13	gonna has not been as good with that like i don't know a can on
0:06:18	one applications don't work on three that a lot of reasons for the for that
0:06:21	and i think it's a good thing that is that way that we can make
0:06:24	a T I but it is a substantial problem for sub pop members if they
0:06:30	if they wanna one right that application they don't wanna constantly be caught in that
0:06:35	cycle that we have that is really fast and updating right
0:06:40	so we need some say it to do need to do something about that
0:06:43	and reliable testability means them
0:06:46	well let's darla most a stable areas for us it also means that
0:06:52	the differences between the best distribution or minimise
0:06:55	because currently the distributions all to in mass of ways for example
0:07:02	one of them my favourite examples this is there's on the door and row systems
0:07:07	insist directly called use a lib X like which is something where you're supposed to
0:07:13	put internal binaries
0:07:15	at least that's how most people understand it and this directory only exists like that
0:07:20	of the door and row and nowhere else
0:07:26	what is that
0:07:28	well a to make there's a lot of things but they with it know what
0:07:31	do use all the mug like that i mean all the make and stuff like
0:07:33	mark home and things like that like the com the and things like that i
0:07:37	wouldn't blame all make for that i do planned route for that right at that
0:07:48	i mean we don't follow the gonna world all anyway
0:07:51	i mean if we did than everything would and then use the local right
0:07:56	i don't know it is i think because this is recorded we probably should if
0:08:01	we have discussions to that with the with the
0:08:05	anyway i think it's a i personally blame more room for door and browse that
0:08:10	it's in the fedora packaging policy that should be you right also it i mean
0:08:14	it that's kind of cool about this thing out because then we are to blame
0:08:18	we as the door but other than everybody else
0:08:21	but anyway this is that's a speciality we got this house came into existence at
0:08:27	the speciality of the door and well and it makes things difficult because depending on
0:08:32	how which operating system you compiled stuff for sixty to be light out that way
0:08:37	and this gets worse and worse and worse i mean for example some them distributions
0:08:42	you system the others use up and it's kind of things many of this we
0:08:45	will never be able to do however we need to think more about unifying the
0:08:50	A B A V I you're operating system and we need to make sure that
0:08:54	we somehow even with we are incapable of all with guaranteeing our
0:09:00	main supportive at i am to be stable we need to stop somehow make it
0:09:04	possible to relatively easily run all that with the labia
0:09:10	reliable testability that means
0:09:13	what is absolutely i'm horrible for third party application mentors who want to write software
0:09:18	for linux is that's because there are so many distributions and because there are so
0:09:23	many different ways to run them because they you always have a different set of
0:09:27	our cans and so on it is incredibly difficult to actually systematically test a software
0:09:32	against that right because i mean linux kind of provide the same at eyes and
0:09:37	all the distribution regardless of you run then you know if you run ribbon to
0:09:41	if you run so door organ two whatnot they don't have the same at the
0:09:45	eyes however if you actually want to test against that and it's not sufficient that
0:09:48	they provide the same in the eyes you need to also know that the work
0:09:51	exactly the same and it is it like a test metric explodes by if you
0:09:57	multiply that by the and different distributions and the different versions of the distributions and
0:10:03	the different architectures and things like that which is like for project like firefox they
0:10:08	can still do that for a couple of distributions but as soon as us you
0:10:14	only all this little application developer and you wanna know that your stuff works
0:10:19	how you should you ever i mean it would basically require you to install any
0:10:23	fedora version you wanna test again with many every woodworking and then you testing
0:10:27	yourself so we need to do something that
0:10:31	to make testability easy a
0:10:33	like reducing variables and the whole equation
0:10:38	so
0:10:41	this of course
0:10:44	means we need to ask yourself what the purpose of R P M's and that's
0:10:48	and well we wanna cheap all that
0:10:53	rbms and that is already mentioned that something is installed only by road
0:10:57	eleven a common name space mentor at have
0:11:00	i can have access to all kinds of mentor at art because they're basically unrestricted
0:11:05	and they have this huge task metrics
0:11:07	so
0:11:09	we don't wanna get rid of our cans adapts or anything like that right we
0:11:12	saying they're really useful things but then not useful for actually packaging set up use
0:11:18	that because they have way too much power so what the way we see it
0:11:23	is rbm that's fine that's how you build you operating system but it's not what
0:11:28	you actually then run on top of that operating system that's a different for one
0:11:33	that does not have to deal with all the problems about that's that
0:11:37	so
0:11:40	so
0:11:42	our teams that's a primarily focused around distributions a single provide able to test out
0:11:47	of programs this is something about
0:11:49	but then strands they can R P M's because they have so many so many
0:11:53	i'm dependency specifications for example would you expect that the name space of the dependencies
0:11:59	expressed in the R P M's or something all of the unified name space right
0:12:03	like if somebody depends on a library by the name look for something then you
0:12:09	need to maybe make sure knock in that this lip foo mead exactly one library
0:12:14	not another one however lip food that is very generic name so everybody might a
0:12:18	have something different that even if they have the same like the end of the
0:12:21	name they might have it in the different avi
0:12:24	so are can that's a fine but the and apply that that's only one when
0:12:28	they're in and how to manage the and i a name space and provide every
0:12:33	single R P M with you as soon as you depart from that and you
0:12:37	have multiple but then as in the game not everything coming from for door and
0:12:41	then our peons at the and that's a really
0:12:44	strange things because the name space clashes
0:12:50	so that's on the other hand should be the opposite of that right
0:12:54	we want people to have many sources on the and we want to make sure
0:12:59	that you know there can be multiple providers of that people can compile there and
0:13:03	just provide them on their website things like that and we want to allow them
0:13:08	that this can be untrusted code because this is like the next thing if you
0:13:12	have a distribution the makes then
0:13:16	you do trust the distribution to a certain level and then expect from the distribution
0:13:20	that it will actually take the code from the various applications look at them figure
0:13:24	out that they're the codas okay didn't do anything evil will package it from you
0:13:29	so that you don't have to trust every single act developer and you can instead
0:13:34	of just trust the distribution of the whole as soon as we go to the
0:13:37	apps model where we wanna have lots of energy and this becomes much more of
0:13:41	a problem because suddenly if you get everything directly from them and that you have
0:13:44	to press every single one of them and that's a lot of cost now so
0:13:49	this is a problem but it's a problem then we can deal with technical solutions
0:13:54	by making sure as mentioned with the sandbox thing that even if you don't trust
0:13:59	that and then are so much that whatever you can do with the system isn't
0:14:04	too bad actually break
0:14:12	so apps
0:14:14	and the key feature that they have isolated from the surrounding those west and are
0:14:19	and you the private data for security reasons for a pi stability reasons testability reasons
0:14:25	building we
0:14:26	and that's an exception with extensions
0:14:29	so the isolation from surrounding los it's like the key thing here we want to
0:14:35	make sure that if you install again that game does not can access the address
0:14:39	book
0:14:40	and if you install i don't know
0:14:44	it what rather it should not get access to your friends list on the on
0:14:51	the with pitch and these things like that this it's like this is something that
0:14:54	we did not have a it never had on a non unix it's isolation all
0:14:59	the ads between them that you run on the same user id on unix classically
0:15:03	access control is
0:15:05	exclusively a user right as soon as you have some code that runs it as
0:15:09	you use the get access to everything you have and that it's just i mean
0:15:13	is a little bit of a
0:15:15	so it's about that the reason for that is a security reasons but also as
0:15:21	mentioned we wanna isolating from the from them
0:15:24	so running O S what api stability reasons right because i'm currently if you have
0:15:29	packages software you see the and I P R A S R P M's if
0:15:33	you if you see the entirety are operating system and that is a bad thing
0:15:36	right you need to make sure that that's the at actually only see that was
0:15:41	a P R is the jeans table
0:15:44	and the and then supportable but do not see anything else and do not end
0:15:50	up pulling in blinds dependencies that you cannot see like for example this the problem
0:15:56	think about G stream alright this tree might has a stable api if you application
0:16:01	pulled that in that's totally fine but you create a lot of problems but because
0:16:06	i just you meant based around a plug ins
0:16:09	so these individual plug-ins are content like eyes of G stream of so you would
0:16:13	think that wouldn't mind and that wouldn't be a problem however ultimately these plug ins
0:16:18	will pull in other libraries and those i and we have position that they do
0:16:22	not have any stable that yet very frequently like for example i usually
0:16:27	so anyway this means we need to somehow isolate the operating system so that the
0:16:32	not some dirty code running on the operating system can you can to the at
0:16:36	and not some stuff you don't want from the at and you get to the
0:16:40	house
0:16:41	the colours thank X exceptions for that
0:16:44	which are extensions like stuff that really extends existing software for example can i'm shelley
0:16:50	have javascript extend for that is very different thing because it will actually it must
0:16:56	a be able to run in the same sandbox and same context as gonna shell
0:17:00	itself so which means securities is very important but there are some exceptions where we
0:17:07	actually kind of
0:17:08	take benefit all that secure
0:17:11	so i already mentioned that we want on level oscillation we want this isolation that
0:17:15	we need for reasons of api stability testability and am security we want that on
0:17:21	the kernel that
0:17:23	why do we want to work on level first and foremost for the security reasons
0:17:27	because
0:17:28	decreases a complex thing where there's so many different things like ice a linux and
0:17:32	capabilities and blah it stuff that people shouldn't think about it stuff that
0:17:40	i guess leaks into quite a few so subsystems i don't know it's a lot
0:17:44	this process man was use them and all these kind of things if we ever
0:17:48	do isolation excuse them in user space and have user base components to this then
0:17:52	there's no way how this can be integrated with all that stuff that we really
0:17:56	don't wanna care about but need to have
0:17:58	so for us it's really important that everything that is enforced is kernel estimation
0:18:04	and this is all the something we one was no apps solution we want something
0:18:07	that is three is community based so we want something but is not bound to
0:18:12	one single at store but it's something that people can set up their own after
0:18:16	this that want to and is men diagnostic so that not only i don't know
0:18:21	it it's not supposed to be something that where at had set up a naps
0:18:24	don't nobody else can take benefit of that it's supposed to be something where everybody
0:18:28	can send a napster and people can even
0:18:30	i have not around so it's supposed to be something that truly free and the
0:18:36	way how linux itself
0:18:38	so
0:18:39	this is so for a little bit about this other do one and recharge about
0:18:43	security about them free nice about a couple of other things the next part of
0:18:49	the slide focuses mostly on how we think we can get that we have been
0:18:55	working on a couple of things already we group everything that we wanna do than
0:19:00	nine steps it's a lot of work is likely to happen tomorrow or something like
0:19:04	that but we have a lot of things already encode another couple of things we
0:19:10	have like sort about and have plans about but until we have the full thing
0:19:15	the egg
0:19:16	how
0:19:19	but
0:19:22	we think is actually necessary to make linux i'm strive as an echo system because
0:19:27	quite frankly it's and
0:19:28	possibly hard to write good at the linux simply because you can distribute them
0:19:34	so any questions to this point you got to thirty drop me if you have
0:19:38	questions
0:19:40	that's question
0:19:42	the microphone
0:19:44	mike
0:19:51	i don't know it's like it's casey and maybe it is
0:19:57	if i have like one machine shower by Q people
0:20:00	so like it would be very nice or write it installs it's a two people
0:20:05	in the same itching would i just all insane a like a right so i
0:20:09	mean it is our mission and like a part of our mission statement is that
0:20:12	use like a should be able to install these apps without requiring privileges but that
0:20:16	does not mean that that's the only way how outside still so far example administrator
0:20:21	could just drop something into the system and every user
0:20:24	so it's just about that we want to allow users to do this with our
0:20:28	break fine
0:20:30	from that minutes
0:20:31	but administrative
0:20:44	if you any application use just the single file what about shared libraries
0:20:53	that's a good question will probably come to that later though that is available
0:20:58	no anyway i mean so far it's just about the mission statement why we believe
0:21:02	this is necessary and how what we think that's all should be providing the nine
0:21:06	steps a bit about the technical implementation of things but anyway i don't see any
0:21:11	for the question so let's just proceed with the technical stuff there is one way
0:21:17	okay
0:21:21	minimal mobile applications come in a client server the version of all the usually internally
0:21:28	and the just is a is a gift that scene out so we stopped things
0:21:34	or what we only focusing on
0:21:37	single a single focus
0:21:39	so this is explicitly about use that's right use that's meaning apps of the use
0:21:44	themselves like the end user himself plays around was it's not about so i think
0:21:50	much of that stuff that we had designing here will ultimately be useful on the
0:21:53	service well but this clearly out of focus for the stuff that we collapse here
0:21:57	okay thank you
0:22:02	okay
0:22:06	but nine steps
0:22:07	that's all the questions right now right okay so the first one that we currently
0:22:11	working on this is make E D that's work i can us is approach that
0:22:15	is kind i have been working on together with donny american great crop couple of
0:22:19	other it's a
0:22:21	the part of the class people system for this it to the crown the us
0:22:25	i hope you all know is like this i can see this really basics thing
0:22:29	how process can talk to each other since this is about processes talking to each
0:22:35	other we believe it is absolutely essential that this core component is aware of sent
0:22:40	boxing meaning that because we need to limit what apps can talk to we need
0:22:47	to have the send boxing right in the i see so for us because we
0:22:51	again want all these things to be enforced by the kernel it is absolutely essential
0:22:55	that we make at once where
0:22:57	katie was work where the other thing is because we believe that the katie basically
0:23:04	was in general is like a really nice way how communication out and of the
0:23:08	sandbox can work
0:23:09	so it is far as important that's if we want to
0:23:15	it katie less or do that's to be do single i'm interface in and out
0:23:20	of the sandbox you need to be capable of actually exchanging large amounts of data
0:23:26	with that because i mean it suppose with the one and only thing i don't
0:23:29	know that sandbox the need to be really good and cover all use cases that
0:23:32	we need from the now he was classically is not useful for exchanging
0:23:38	substantial data it's focused and that is in the resume some statement only in control
0:23:43	data right short message call which will parameters
0:23:48	if we wanna make it like the single thing then we should be able you
0:23:51	do also use it for exchanging things like J peg file document file or anything
0:23:56	else
0:23:57	so for us this meant if we wanna have to be device the central i
0:24:02	think we need to get sex sixty thing first that sent boxing things like that
0:24:06	the current state of katie that's is that we have a lot of carrot and
0:24:10	it kind of works but we have not like it's part of the system you
0:24:15	project like the user space part of the system the kernel space part is kind
0:24:20	in a repository
0:24:24	we're not far from actually making a work altogether what basically the last missing made
0:24:29	a missing sync for us this is that we actually port system the in its
0:24:32	entirety to the U I P i just that katie bells and that's this but
0:24:37	and provide which is basically i mean it that something so difficult it's just a
0:24:42	lot of work like moving from one like that
0:24:46	we hope that this that we have something really presentable like putting up an entire
0:24:52	system was and look at less and by the end of the year you have
0:24:56	submitted to talk to linux company you about katie us so and i better have
0:25:01	something presentable by then so that's my way to get
0:25:06	push on that so that we actually have something
0:25:10	so much about katie but it's a huge project it's going to be awesome because
0:25:14	it's we finally get a really good i can see you know linux that is
0:25:18	far that is provide everything we ever wanted from sent boxing to the broadcasting to
0:25:23	activation
0:25:27	that was step one step two is we want this accent porpoise build only next
0:25:33	negative second see goods become abilities
0:25:37	so i depending in like if you if you ever that was the lower levels
0:25:42	of stacking them that
0:25:43	then the next name is basis second see good together but it is something you
0:25:48	might have run into suffice to say these are very generic tool that the kernel
0:25:55	it provides for isolating and then men do like that bows than any kind of
0:26:00	what the what them a certain set of programs can see but also in what
0:26:04	they can do
0:26:07	and well these are completely generic we need to make them very specific for somewhere
0:26:13	for the axes case just like that if you use linux the name space second
0:26:18	figured it abilities you can build anything out of it you can secure service and
0:26:21	whatnot but to actually match the don't absent boxes and we need to use it
0:26:26	one very special way of course name spaces and stuff like that
0:26:33	this also like to look at that stuff which where they name spacing is built
0:26:38	in from day one right now
0:26:41	couple of things about this i'm really interesting like for example was a single stuff
0:26:45	we want that every act runs inside of a C group so that it we
0:26:49	can put results limits on them so that know how can bring down the system
0:26:52	but this has a lot of interesting effects of beyond that as well because it
0:26:57	suddenly allows us to manage runtime apps in a way that only androids and mitra
0:27:03	when these kind of things could for example and that we give the foreground at
0:27:08	the boost in terms of us if you know and we can even like the
0:27:13	background have gets them like a medals for time accuracy and we could even freeze
0:27:19	the background apps this has been done in minutes before for things like memo had
0:27:23	something like that but with this model if we if we have the definition of
0:27:28	apps and we suddenly have all these options open where we can make use of
0:27:33	define some things the net effect of all of that is a separate it that's
0:27:37	a little bit more robust but primarily about them how management
0:27:41	so and in the field little bit nice of the foreground up gets more secure
0:27:46	right
0:27:47	so second per se M sandbox as we have the
0:27:51	part of this is actually
0:27:55	is something that john
0:27:58	cost
0:27:59	in the past we've for those two but you a little bit disappointed with the
0:28:01	results we believe what is essential for this actually that we get a strict a
0:28:06	file reich specification for this
0:28:08	i mentioned this before was a lib X thing if we want to make this
0:28:12	happen that these send boxes can work on every machine then we need to make
0:28:17	sure that the decision machines do not
0:28:21	no and all sorts things and different directories all the time but we also need
0:28:26	to kind of give the and developer and idea how he himself was supposed to
0:28:32	places data so that it does not clash with his operating system or any other
0:28:37	operating system that followed these guidelines this is a complex thing because there's already and
0:28:43	then F H S round which is tries to standardise how the entirety of unix
0:28:47	works for this at stuff we probably need to reinvest get that you get that
0:28:52	and that topic and focus exclusively on what acts use that sun lit apps what
0:28:58	they need
0:28:59	this is not a job for necessary so much from brno and sell but it
0:29:04	is actually job for the entirety of the minutes well that they actually accept that
0:29:10	the differences on minimised and that
0:29:14	fedora stops doing that something's we got back second and some
0:29:22	yep
0:29:29	and that this is something very important that we currently all distributions actually take you
0:29:33	know and acted differently right if you if you have a you know money want
0:29:37	to and will not use the backs of if you have the same good on
0:29:41	for dora it will use look back second that's a big problem because it's on
0:29:46	the average thing is looks differently so while i sing that them the distributions need
0:29:51	to fix the issue it is there's also something for can on to do like
0:29:55	you know the release team or somewhere like that have to define exactly how the
0:30:02	finals all located i have placed how the avionics look on the a different operating
0:30:07	system is going to be top of course we don't have anything like a certification
0:30:11	system where you could actually for these kind of things but it's still it's of
0:30:15	major importance that this is clearly community can communicated to the to the distributions that
0:30:20	they stopped doing that and saying if they wanna have something that is compatible what
0:30:25	is with you know right you know needs to document this is how you package
0:30:29	it and you don't targeted anyway else and if you don't acted that way then
0:30:33	you out of the game and you have no compatibility with what we that so
0:30:37	it's something to fix for the distributions but they need to do it according to
0:30:41	the recommendations and then top language that you know needs to use the whole thing
0:30:48	by the way if you have any further questions that question
0:30:52	but that's the mikes coming
0:30:55	but
0:31:04	once we and needs basis and this E groups a would it be possible to
0:31:10	enforce and find a higher he by and my name spaces
0:31:16	so when i speak of nice basis you this usually applies to filesystem name spaces
0:31:22	but name space design and they sent to isolate sings big thing they cannot be
0:31:27	used in for anything right and also it's a different thing like for example what
0:31:32	the apple inside of the container does is relatively relevant like they have more freedom
0:31:38	than operating system has because the apps are not at i operating system however is
0:31:44	so it's them we will not be able to enforce much i mean i'm sure
0:31:49	that the operating board of going home could supply tool that can linda the operating
0:31:54	system make sure that a big part of the right up writing i am the
0:31:58	bright if you guys could even and provided tool that you can run on a
0:32:02	nap to make sure that at does not put something in a place where would
0:32:06	clash with what operating system with like
0:32:09	but some boxes not really to for
0:32:16	there is the question
0:32:23	chance
0:32:25	use
0:32:29	sorry i didn't get the question i was wondering what usable at a distribution not
0:32:35	just to do knowledge
0:32:37	well might make sense but i don't think that really matters too much for the
0:32:42	F stuff because
0:32:46	i
0:32:47	in the libraries all the it's a good question actually but
0:32:59	well you do you do read the file see
0:33:05	but i mean it's a so what kind of thing is that is that there
0:33:08	that this is about using traps right and i highlighted the cover that once already
0:33:13	so it is not essential like that the stuff that is required only prudent stuff
0:33:19	reason why the old distribution still have that split off
0:33:22	it's not necessarily navy either the apps need so it's not of that but maybe
0:33:27	there's a little bit of chicken we hope you have to the some of tools
0:33:30	could
0:33:30	probably simply we need
0:33:33	we don't is late
0:33:36	to
0:33:38	absolutely and stuff
0:33:43	yep
0:33:44	okay so i think it's a problem but i don't think it that
0:33:50	okay any best
0:34:00	i'm assuming that the new strict fell hard specifications something that we all want but
0:34:06	has there just be not planner just get everybody like at ian X F C
0:34:10	E in a moment at the end and so you say all together and to
0:34:13	say okay let's came out the specs here "'cause" it seems like it sort of
0:34:16	a pipe dream we don't have a plan about where to go with it i
0:34:19	just get everybody on the same page you know you know what they say about
0:34:24	committees and standards i'm not sure that will work that way i don't know we
0:34:29	should get the right people involved absolutely i don't think we should get everybody involved
0:34:33	because then you get all should i mean if you as soon as he'd like
0:34:37	for example if you if you include on the but are people they will fight
0:34:40	for the backside anything to the other with hated so
0:34:44	actually a lot
0:34:47	i got like ten minutes of the right
0:34:50	okay so let's you we can have discussions about all this later on so let
0:34:54	me i'm still it but that step to let that go for the other seven
0:34:58	steps in the next ten minutes
0:35:03	the next thing is that it but we want something called portals and portal to
0:35:07	something that the time or something we came up with a to access than and
0:35:10	brussels early this year it's supposed to be something how apps can interface with each
0:35:18	other without having to know about each other it's a something that's probably going to
0:35:22	maybe based on top of katie but it's a very interesting technology so it's basically
0:35:29	something that is focus it that is based on an idea from android where they
0:35:33	call that
0:35:36	a what
0:35:37	intense of course intense and what windows called contract right and these things are these
0:35:43	i think the really interesting things and because they basically or a way how you
0:35:48	can isolate apps from
0:35:52	from the rest of the operating system without having that concept of security isolation you
0:35:58	can be visible that's so to give an example what a portal i'm should be
0:36:02	doing that say you have an act and that have like it's an e-mail have
0:36:06	any and you want to be able to send a picture that you just took
0:36:09	over to another machine on traditional linux this would mean that this email i would
0:36:15	have to have access to the camera device and then would take picture from the
0:36:19	camera device and attach it to the email and centre the way our that's a
0:36:23	big a big but quite a bit of a security problem because you don't really
0:36:27	want to give access to the camera to email program so the idea of portals
0:36:33	and intense on and right is to always have that's related to different send boxes
0:36:39	and require interactivity between those two things
0:36:42	so the idea in that case is that if you have an e-mail application you
0:36:45	wanna send a date pick picture over what happened is that the email a program
0:36:49	goes to systems as i would like to have a picture here please help me
0:36:54	this system and says okay then goes and she's checks which programs could actually provide
0:37:00	a picture it could be like the gallery you have thing of could be actually
0:37:03	the camera to
0:37:04	then the camera tool would be activated or the gal review and you would select
0:37:08	you take a picture that i see interactivity which has this nice effect that ultimately
0:37:14	the you was the didn't wanna now that you would say why do my camera
0:37:19	application actually get started there was no reason for the simple press can't one okay
0:37:23	so in a way
0:37:26	there's a security question hidden behind this interactivity so that you only grant access to
0:37:33	the camera indirectly and always hasn't activity but use that so that if that action
0:37:38	was not supposed to take place you will say can so maybe a little bit
0:37:43	confused but not allow
0:37:46	it is wonderful technology because it's one way about integration of that's right because if
0:37:52	you sent an email and you get the camera application running you get the same
0:37:56	everywhere you can replicate running is always but it's also the security technology saying that
0:38:01	that's also the security technologies like a something about their other cases for portals for
0:38:06	example just think about open office currently open office needs to be able to access
0:38:11	your home directory and all other directory so that you can open a file at
0:38:15	any one of them but it really sucks because open offices a gigantic piece of
0:38:19	code and you don't really wanna give it access to everything that could ever like
0:38:23	you and we spoke like you private banking data like you firefox cash and whatnot
0:38:28	so ways portal to console the problem again because the open office would just tell
0:38:33	the operating system haiti so i'm living the sandbox and i would like to have
0:38:37	a file please give me one and then the application in the operating system would
0:38:41	again interactively you something out of the sandbox look for the file and we try
0:38:46	to back to sandbox and the sample together but it would only get access to
0:38:50	that specific file would not have seen any other file of the operating system so
0:38:56	it's the portal some things about be very generic how the security transition there is
0:39:02	hidden each wine between behind user interactivity instead of having questions like last week it
0:39:08	usually ask them like should this ad get access to this device you just do
0:39:12	the action but because requirement activity the usable make the decision just at the side
0:39:18	of it without actually
0:39:20	so
0:39:24	so the portal select or something that you know i'm really to care about of
0:39:27	that's nothing something not nothing the castle come from system decided things from the lower
0:39:32	level this can happen basic you know
0:39:34	number for a i mean just as compressed file system with multiple petitions will back
0:39:39	file so the idea for us as we wanted to have this after one image
0:39:44	at all but also wanna have a only but we want to make sure that
0:39:49	everything's on the kernel levels idea then is that applications are actually shipped and in
0:39:54	a single file that is look back mounted with a couple of petitions in them
0:39:59	that will include everything like and real files that the application means that money applications
0:40:04	executed will be merged according to very specific rules with the A P I file
0:40:09	that the and the at shell be able to access and so that it basically
0:40:15	the nazis a real operating system that is a real filesystem rightly that is emerge
0:40:20	version of what it it's itself ship
0:40:23	plus everything that has been white listed as a and system if you are from
0:40:28	outside
0:40:29	so i'm going through the little bit five because they're like less than five minute
0:40:33	left
0:40:34	number five as an extended search five logic and you live in friends this is
0:40:38	something and we really need if you if we have these apps and the contents
0:40:42	of the apps are not a viable in the normal system and study you get
0:40:46	this problems that let's say gonna know shall should be able to enumerate all the
0:40:51	apps that are installed at means that needs to look for the best of files
0:40:54	then something you have the problem well it's not sufficient anymore to look into user
0:41:00	share applications for the best of file because suddenly that's not well all the and
0:41:05	that's the file will be they will be inside of these a single file look
0:41:08	back mounted simple filesystem thank you so the net result of that is
0:41:15	we really would like to see the search pathologic extended so that do that is
0:41:19	capable of automatically finding these things also in the apps instead of just use okay
0:41:25	this applies not only to finding after the price to quite a few other things
0:41:28	like looking for i can looking for music files using for whatever scenes and this
0:41:34	kind of thing
0:41:38	then the next thing is a sample to where display manager this is real important
0:41:41	us because X eleven this is this gigantic saying if you as soon as you
0:41:45	get access to X eleven to the so that you can do anything with that
0:41:48	you can talk to read applications fake input other picketing the kind of thing if
0:41:52	we wanna have sandbox applications this means that second really be acts that is in
0:41:58	the makes that the good thing is whale and has been designed already in a
0:42:02	way so that applications can never ever access the input and output of other applications
0:42:08	that always you only that and by for nothing else
0:42:12	so that is point six point seven the something we still need to discuss was
0:42:17	ryan it's D com means need like the considerations needs to be and be able
0:42:24	to understand send boxing
0:42:26	meaning that it needs to be able to access control on the napkin and you
0:42:32	get access to the keys it should get to and nothing else
0:42:36	number eight it system for building apps
0:42:40	and profile is the that's kind of related that's a simple building out of course
0:42:44	is not sufficient to justifying this we also need to be P getting a tools
0:42:48	to develop is to actually make building these apps easily i think ultimately with system
0:42:53	that we defined it's relatively easy to do minimal ports of existing have like open
0:42:57	office into the scheme because inside of the name space container that i mentioned earlier
0:43:02	everything looks like a real operating system except one that is very minimal so they
0:43:07	do not have to make many changes they only have to make many changes in
0:43:11	of that's about security and portal something like that you
0:43:14	anyway
0:43:15	how we think that the that the compatibility situation should be handled is with these
0:43:19	called profiles profile to basically something if you have to dora it would implement i
0:43:26	profile called you know and maybe one profile called L is be and that's about
0:43:30	it and application would specify exactly one profile that's developed for the profile would basically
0:43:36	a superset of libraries or D bus interfaces and about a couple of other things
0:43:41	that need to exist
0:43:42	so the idea spending that if somebody writes an application you can pick one of
0:43:47	these profiles and has freedom i they can chase a okay i wanna focus on
0:43:51	the gnomes we don't be or that's a relatively you then he has to deal
0:43:56	with the fact that you has to rely on the gnomes capabilities to make stable
0:44:00	api some kittens and this table and or you can say i don't care about
0:44:06	them gonna i care about that is be only i don't trust again about because
0:44:09	the break api all the time then you can do that of course you will
0:44:12	not be able to get access to the economic the eyes that way but you
0:44:16	can still include them in as an image because after all the image includes pretty
0:44:20	much something that looks like a real operating system
0:44:23	so this gives basically developers the option like how much do they trust upstream how
0:44:28	often do they expect that they want to update application and the deal is basically
0:44:33	it's like firefox they're constantly updated they would like i mean and five releases and
0:44:40	you really is every three months or so if i correctly on so there could
0:44:44	but basically say we always check the news you know and always we can use
0:44:48	gonna profile and then they do than everything will work on the other hands i
0:44:52	have no time anymore but there is games and stuff like that games usually of
0:44:56	written once released immediately then there's maybe one update and that's it so they would
0:45:01	focus on a different profile like that'd be profile they would get less integration would
0:45:06	have to rely less on the on the stability guarantees by the operating system winner
0:45:11	but we get something out of the door there's my last slide have stores this
0:45:16	completely out of for before system the we have stores of course as soon as
0:45:19	we have that of course the last
0:45:21	they have between all these nine step there's lot of other things this box just
0:45:26	supposed to give you a little bit of an overview what we working on as
0:45:29	mentioned we're kind of it was a katie that stuff and we work was see
0:45:33	group of things like that and try to make session system you working which will
0:45:37	give us a definition of the but this is still a lot of stuff and
0:45:41	i have to do anyways thank you very much for your time if you have
0:45:45	any further questions maybe we have time for one question
0:45:49	no
0:45:50	so or one of his like you can ask one question otherwise that's
0:45:56	do something outside
0:45:59	so you are lucky one so she studies
0:46:03	i'm sorry she or one liabilities into supplements that's a good a question shepherds is
0:46:09	bundle libraries the distribution people they tape on the libraries for those it and don't
0:46:14	know the details about this is basically firefox and all these things they tend to
0:46:18	ship as shed light like a couple of shared libraries that we otherwise a part
0:46:23	of the operating system was there i'm application and distribution people to be hide that
0:46:28	application developers always do that but is think they're absolutely rights i think that actually
0:46:34	are and we need to technically solve the problem so i think ultimately this means
0:46:39	we need to support bundled libraries however we need to deal with the fact that
0:46:44	they saw they suck for security reasons
0:46:47	but i saying that the best way to deal with security series that by security
0:46:51	technology so that's again something where the send boxing is relevant right if you want
0:46:56	to allow firefox to ship is own S L library and you need to make
0:47:00	sure that whatever happens and inside of firefox now we can get out of the
0:47:03	and you need to be tightly sandbox
0:47:05	right but i think ultimately there is really strong we my firefox doesn't model things
0:47:11	it's a testability thing it's about they want exactly that version that they know with
0:47:15	the A P I and the bug fixes i know instead of something that is
0:47:19	it's about that somebody else but i don't know which is the up and
0:47:23	so this idea this is that stuff as opposed to provide support about the libraries
0:47:30	and i don't think there's any way around that how much is bundled and how
0:47:34	much assisted by the operating system is something you decide what profiles if you think
0:47:39	i was be profile with very low level and you have to should and problem
0:47:42	or if you pick we can own profile you have to ship but alas but
0:47:46	i don't think that's the way around hunting at least the
0:47:51	the middle ground a framework it's
0:47:54	well timers a profile so you're supposed to promote
0:47:58	but i don't know if you if you wanna new version of G stream or
0:48:01	you have to bundle
0:48:04	everything that's not products operating system profile and you have more about
0:48:12	there is no possibility that you know if an operating system doesn't have some very
0:48:16	popular third party like you've been everybody has to bundle their own copy of that
0:48:19	we pretty like green instead of using show and then they should talk to the
0:48:22	operating system vendor maybe ship the library
0:48:26	okay anyway this was already one question more than i promise so anyway single but
0:48:30	i'm if you i

Sandboxed applications for GNOME

Developer Experience Track

Lennart Poettering