KDE @lemmy.kde.social KDE @floss.social 3 days ago

This week in Plasma: Getting #Plasma6.3 into shape, more KRunner searches, better scaling and a whole lot more:

You're viewing a single thread.

10 comments

@kde@floss.social @kde@lemmy.kde.social

Can you tell us what happens on the "sandbox all the things" goal?

I think this is a pretty crucial step forward, even though #sandbox technologies (most often through user namespaces) are more problematic than I initially thought.

(Basically, user #namespaces open up #privesc dangers to the monolithic #kernel, which is incredible. #Android and #ChromeOS use #LXC, mounts and #SELinux for #sandboxing)
- @Rhababerbarbar @kde@lemmy.kde.social
  
  "Sandbox all the things" is not currently a KDE goal.
  
  https://kde.org/goals/
  
  @kde@floss.social @kde@lemmy.kde.social
  
  Thx for the info, then it is like that.
  
  Here is the goal proposal
  
  https://phabricator.kde.org/T17370
  
  Tbh, #bubblewrap would need to be fixed drastically to be as secure as the #Android #sandbox. And (I am not sure yet) I think even #Snaps are more secure (on #Ubuntu with #Apparmor patches) than #Flatpak with the current system.
  
  As far as I understood, sandboxing needs to happen in #userspace, with tools like #fuse doing the work while being restricted by #MAC like #SELinux or Apparmor.
  
  @Rhababerbarbar @kde@lemmy.kde.social
  
  That is the proposal page. Of all proposals, and there are always quite few, the community votes and selects three to work on for two years. This one was not selected.
  
  @kde@floss.social @kde@lemmy.kde.social
  
  True, changed the naming ;)
  
  @kde@floss.social @kde@lemmy.kde.social
  
  For people interested, maybe #crabjail and #crablock can be a solution!
  
  https://codeberg.org/crabjail/crablock
  
  A #sandboxing tool written in #Rust, featuring " bleeding edge #Linux #security features like #Landlock or MDWE_REFUSE_EXEC_GAIN."

You've viewed 10 comments.