undefined | Better HN

0 pointscodedokode8d ago0 comments

I thought about VM but it would be pretty expensive and require lot of RAM (which is not cheap nowadays and not always upgradeable on laptops. How would you upgrade your 8 Gb MacBook?) and CPU overhead to emulate the hardware and run one more kernel. The program in VM would not be able to use OpenGL/Vulkan, access the audio card with low latency (for working with audio), connect to DBus (to interact with other software).

I actually ran Windows games like Cyberpunk in qemu on a Linux host without performance loss, but that required adding a dedicated GPU for guest and to use realtime audio, one needs to pass through an audio card into the guest.

Furthermore, the CPU already provides a "sandbox" (isolated memory) for processes. The problem is that Linux allows the program to ask the kernel to do anything.

> Linux has features like SELinux and AppArmor.

Neither SELinux not AppArmor allows to show a question "would you like to allow program N to access your microphone" or "would you like to let the program connect to github.com? (Yes) (No) (With decrypting SSL traffic)". They look like they are made to comply with some outdated standards from 80s.

The best you can do today is either write your own sandbox around Linux namespaces (very complicated), or try lightweight VMs like Firecracker, or paravirtualization (like VM but with a shared kernel). Those solutions are made for server use, not for desktop, and require lot of work and programming.

> If you want to install a random package, you are free to do and its your responsibility. Equivalent is side loading in android.

I want to install random packages and still be safe. That's the point of installing an OS, to be able to run random programs on the computer.

0 comments

4 comments · 1 top-level

mittensc8d ago· 3 in thread

> Neither SELinux not AppArmor allows to show a question "would you like to allow program N to access your microphone"

Permissions on microphone device would work, build your own UI / virtual device or generate one with claude if you really want popups.

> "would you like to let the program connect to github.com? (Yes) (No) (With decrypting SSL traffic)"."

I actually have something for this. Firewall everything blocked, domains unblocked via DNS request if I allow them.

Linux is very powerful here compared to iOS - can you block specific domains there?

> The best you can do today is either write your own sandbox around Linux namespaces (very complicated), or try lightweight VMs like Firecracker, or paravirtualization (like VM but with a shared kernel).

What do you think the sandbox on ios/android is?, still a vm/namespace/container...

> require lot of work and programming.

Sure, but you learn.

> I want to install random packages and still be safe. That's the point of installing an OS, to be able to run random programs on the computer.

That's not true anywhere. I would not feel safe with random apks or random store entries on android OR iOS. On iOS i lived through the whole 'access a webpage to get jailbreak' phase... with no way around it since mandatory safari

So, other OSs just give you the impression of safety. And you're locked. (iOS with safari...)

On Linux you are free, up to your capabilities.

codedokodeOP8d ago

How do you sandbox /proc by the way? So that the app doesn't crash due to missing /proc/self/exe link or /proc/ID/stat file, but cannot read my private information (like /proc/cmdline, /proc/mounts etc)? Things like bind mounts do not work on /proc.

I ended up with writing a FUSE-based emulation in Python, but there are lot of issues with permissions and namespaces:

- I could run my /proc emulator in the same PID namespace as the target, but in a different mount namespace so that I can mount real /proc there. This is not safe because the target could send signals or ptrace my emulator and gain access to the real /proc. Especially if it is an AI agent, they are pretty capable.

- I could run the emulator in a different mount and PID namespaces but then the emulator needs to translate PIDs into the target namespace, and for this I need to know the format of all files and where they contain PIDs and it is a pain

- running the poorly coded emulator as a root is not an option. The sandbox must work without root.

- ideally the emulator should run as a different user because Linux provides the strongest isolation for processes of different users, but in this case I won't be able to access target's /proc entries.

Also, running a program is the most basic functionality of an OS and you suggest that I need to write my own sandbox to do this because it is not included with Linux. Maybe that is why this year still is not the year of Linux on desktop.

mittensc8d ago

> Also, running a program is the most basic functionality of an OS and you suggest that I need to write my own sandbox to do this because it is not included with Linux. Maybe that is why this year still is not the year of Linux on desktop.

I'm saying other OSs are worse for sandboxing.

How would you achieve what you want on MacOS or Windows? (or others?), what do you think goes on behind the scenes?

I would set up a VM if i were that paranoid btw. Qemu, docker, deploy the container to it, vnc or gpu access.

Also, one question for you, since you brought up microphone, how do you defend from Microsoft/Google/Apple deciding to spy on you and access the microphone? (secret court order or who knows why in the future)

codedokodeOP8d ago

It doesn't matter how bad is Windows or Mac because I do not use them.

Apple might have something made for the government. They are very cooperative and routinely remove VPN apps from the repository at the request of Russian government, probably they will happily cooperate with US government as well.

> how do you defend from Microsoft/Google/Apple deciding to spy on you

My smartphone is in airplane mode since purchase and doesn't have a SIM card. I am considering options to port an open-souce firmware like Lineage OS, patch proprietary firmware or make mix of both. However to do this I need a realistic emulator that cannot be easily detected and that emulates at least some of phone hardware so that I can see what the programs try to do and where they try to connect to. Obviously there will be no Google services and similar software, mostly open-source apps from F-Droid.

As for computer, I use Linux so I guess I am relatively safe.

1 more reply

j / k navigate · click thread line to collapse

0 comments

4 comments · 1 top-level

mittensc8d ago· 3 in thread

> Neither SELinux not AppArmor allows to show a question "would you like to allow program N to access your microphone"

Permissions on microphone device would work, build your own UI / virtual device or generate one with claude if you really want popups.

> "would you like to let the program connect to github.com? (Yes) (No) (With decrypting SSL traffic)"."

I actually have something for this. Firewall everything blocked, domains unblocked via DNS request if I allow them.

Linux is very powerful here compared to iOS - can you block specific domains there?

What do you think the sandbox on ios/android is?, still a vm/namespace/container...

> require lot of work and programming.

Sure, but you learn.

> I want to install random packages and still be safe. That's the point of installing an OS, to be able to run random programs on the computer.

So, other OSs just give you the impression of safety. And you're locked. (iOS with safari...)

On Linux you are free, up to your capabilities.

codedokodeOP8d ago

I ended up with writing a FUSE-based emulation in Python, but there are lot of issues with permissions and namespaces:

- running the poorly coded emulator as a root is not an option. The sandbox must work without root.

mittensc8d ago

I'm saying other OSs are worse for sandboxing.

How would you achieve what you want on MacOS or Windows? (or others?), what do you think goes on behind the scenes?

I would set up a VM if i were that paranoid btw. Qemu, docker, deploy the container to it, vnc or gpu access.

codedokodeOP8d ago

It doesn't matter how bad is Windows or Mac because I do not use them.

> how do you defend from Microsoft/Google/Apple deciding to spy on you

As for computer, I use Linux so I guess I am relatively safe.

1 more reply

j / k navigate · click thread line to collapse