About the Subgraph attack:
1. The main problem that @micahflee exploited is the unfortunate decision made by Subgraph OS to keep Gnome/Nautilus in the TCB *and* letting this complex software process *untrusted* files,
2. The specific Nautilus bug (handling of .desktop files) is just *one* example of what could go wrong in this case,
3. We can think of other potential problems (e.g. Thumbnails processing)
4. More details: https://micahflee.com/2017/04/breaking-the-security-model-of-subgraph-os/
@rootkovska @micahflee Hi there! In @gnome we are doing a lot of work to sandbox things and solve the root cause for this kind of problem. We'd love to hear about these bugs from researchers first, instead of depending on hardening-after-the-fact downstreams like Subgraph and Qubes to push bug reports to us.
Example conversation I'd like to happen around this bug: purpose of .desktop files vs. filename spoofing; executing code you downloaded; sandboxing all executions by default.
BTW, FWIW: I love the GNOME's look and feel and think it's the cleanest and nicest Linux DE. Congrats on your work here!
But there have always been some more or less accidental reasons(*) why we couldn't (easily) use it for Qubes OS.
(*) Accidental reasons, i.e. security unrelated (we don't assume any security or trust in whatever DE in Qubes OS for that matter).
Thanks for the kind words about GNOME!
This might be a good start: https://github.com/flatpak/flatpak/wiki/Sandbox
Some major threat surface I see today is Wayland API (good), pulseaudio (bad), GL drivers (ugly).
The intention is to use portals (dbus) instead of dev access for most things. This is how you get file access despite no $HOME in the mount namespace. The file chooser, for example, is out of process then fd pass.
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!