About the Subgraph attack:
1. The main problem that @micahflee exploited is the unfortunate decision made by Subgraph OS to keep Gnome/Nautilus in the TCB *and* letting this complex software process *untrusted* files,
2. The specific Nautilus bug (handling of .desktop files) is just *one* example of what could go wrong in this case,
3. We can think of other potential problems (e.g. Thumbnails processing)
4. More details: https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/
@rootkovska @micahflee Hi there! In @gnome we are doing a lot of work to sandbox things and solve the root cause for this kind of problem. We'd love to hear about these bugs from researchers first, instead of depending on hardening-after-the-fact downstreams like Subgraph and Qubes to push bug reports to us.
Example conversation I'd like to happen around this bug: purpose of .desktop files vs. filename spoofing; executing code you downloaded; sandboxing all executions by default.
Thanks for the kind words about GNOME!
This might be a good start: https://github.com/flatpak/flatpak/wiki/Sandbox
Some major threat surface I see today is Wayland API (good), pulseaudio (bad), GL drivers (ugly).
The intention is to use portals (dbus) instead of dev access for most things. This is how you get file access despite no $HOME in the mount namespace. The file chooser, for example, is out of process then fd pass.
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!