About the Subgraph attack:
1. The main problem that @micahflee exploited is the unfortunate decision made by Subgraph OS to keep Gnome/Nautilus in the TCB *and* letting this complex software process *untrusted* files,
2. The specific Nautilus bug (handling of .desktop files) is just *one* example of what could go wrong in this case,
3. We can think of other potential problems (e.g. Thumbnails processing)
4. More details: micahflee.com/2017/04/breaking

@rootkovska @micahflee Hi there! In @gnome we are doing a lot of work to sandbox things and solve the root cause for this kind of problem. We'd love to hear about these bugs from researchers first, instead of depending on hardening-after-the-fact downstreams like Subgraph and Qubes to push bug reports to us.

Example conversation I'd like to happen around this bug: purpose of .desktop files vs. filename spoofing; executing code you downloaded; sandboxing all executions by default.

@federicomena @gnome @micahflee @rootkovska This is really exciting to hear! 🤗 Where can I read more about Gnome's sandboxing strategy and implementation plan?

@tl @rootkovska @micahflee @gnome @federicomena Most of our work currently is around creating Flatpak and Bubblewrap. We want to get as many core GNOME apps sandboxed as possible.



@hergertme @federicomena @gnome @micahflee @tl Hi! Do you have some document describing the planned architecture for this GNOME sandboxing? Specifically discussing the inter-component interfaces?

@tl @micahflee @gnome @federicomena @hergertme

BTW, FWIW: I love the GNOME's look and feel and think it's the cleanest and nicest Linux DE. Congrats on your work here!

But there have always been some more or less accidental reasons(*) why we couldn't (easily) use it for Qubes OS.

(*) Accidental reasons, i.e. security unrelated (we don't assume any security or trust in whatever DE in Qubes OS for that matter).

@rootkovska @tl @micahflee @gnome @federicomena

Thanks for the kind words about GNOME!

This might be a good start: github.com/flatpak/flatpak/wik

Some major threat surface I see today is Wayland API (good), pulseaudio (bad), GL drivers (ugly).

The intention is to use portals (dbus) instead of dev access for most things. This is how you get file access despite no $HOME in the mount namespace. The file chooser, for example, is out of process then fd pass.

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!