This BoF is here to discuss fast, on-demand creation of lightweight (but secure!) sandboxes. This enables a variety of applications:
- sbuild/pbuilder-style build environments with stronger isolation;
- sandboxing of regular, packaged application, esp. desktop applications;
- safer, and more isolated, development environments;
- ...
Plainly, we have situations where we run untrusted code (either a large desktop application exposed to a variety of attack vectors, or we literally ran `{pip,npm,cargo,whatever} install`) and want to reduce the privileges this code runs with (i.e. it may not do everything your current user can do), the harm it can do, and the attack surface towards the rest of the system.
There are current efforts to address this, like Flatpak and Snap for desktop applications, and Docker containers for development, but they come with very severe shortcomings: they all involve some (unspecified) upstream shipping a complete chroot-like image, which is a return, in a sense, to static linking (or at least it has all the same issues as far as security support is concerned). Moreover, Docker isn't designed a s a security boundary, and as such fails to provide strong isolation and security.
We can however be inspired by those efforts, and take advantage of the support they introduced in various upstream projects: what if when a users start LibreOffice (or enter their code directory) we could install the necessary packages to a fresh environment, fast enough, and start the application (or subshell) in a sandbox?
We could get the security and privacy benefits of those technologies (prompting users before enabling webcam, only granting access to explicitly-requested files, stopping random code from the Internet from riffling through your ~/.gnupg), but still use software packaged in Debian, with all the ensuing goodness (security support, DFSG-freedom, ...)