And mount namespaces do sandbox filesystem access but you have to know how to use them. It involves bind mounting over things that should not be accessible (or that you want to interpose different content over) and then making a new nested namespace so they can't be undone.
Conversation
That's changing what's accessible via paths, not sandboxing filesystem access. The program isn't restricted from accessing files passed to it from outside the sandbox in any way. If the user opens a file with an application via system UI, something is being passed to the app, etc
1
I'm aware of how mount namespaces work. Changing what can be accessed via paths is a much different thing than restricting which files can actually be accessed. Mount namespaces are doing the former rather than the latter. Same applies to other non-user namespaces.
1
I'm assuming if you pass a file descriptor into the sandbox from outside it, you're okay with it being accessed. If you don't want that, don't do it.
2
Look at this small fraction of what they're building:
flatpak.github.io/xdg-desktop-po
This doesn't include a whole lot of the baseline IPC.
It's going to get 100x larger and far more complicated as they fill out the capabilities to actually be able to sandbox more complex real apps.
2
So how does an application do something like using OpenGL, opening a file with user consent, taking a picture with user consent, obtaining access to take multiple pictures within the current session (or persistently, for a camera app), and so on and so on?
1
I have never once wanted a desktop app to "take a picture". If I want to take a picture with my webcam I'll do it with a native utility I trust then open the file. This is a general principle: vetted native apps for privileged things, 3p junk in a HARD sandbox.
1
But of course this is a replay of the FDO folks trying to recreate all the mistakes of Windows on the Linux Desktop, only this time it's recreating all the mistakes of Android... 🤦🤦🤦
1
They're trying to copy the way it works on Android although often based on how things worked in Android 4.4.x to 6.x rather than how they work now. That's just what they're trying to do and isn't really how things work. The way it usually works is apps opt-out of the sandboxing.
2
I don't think it's going to work out based on what I said earlier about Snap vs. Flatpak vs. alternatives. I guess GNOME will gradually start using it for real but I just can't see other apps being willing to do complete overhauls to make things work with each specific take.
File chooser is really the only thing where a channel for integrating with the sandbox host would make a big usability improvement. Most of the rest would be better not existing at all, or as CUSE devices.