[SailfishDevel] [Minutes] Sailfish OS Open Source Community Collaboration Meeting, 5th of September 2016

[Slava Monich]

Hi Andrew,

>> To make matters worse, the plugin requirements may change over time, 
>> meaning that a system upgrade may break the app because the app 
>> didn't request access to some features required by the updated plugins.
>
> Application shouldn't know/care about how does plugin work. Plugins 
> are parts of the system and shouldn't be sandboxed.


How to you sandbox a native app without affecting plugins? They all live 
within the same process, the same virtual address space. I don't think 
it's possible to reliably track a system call back to the 
executable/shared library it originated from, even with DEP (data 
execution prevention) enabled. Without DEP it's plain impossible.

With the interpreted code like Java it's certainly doable. With the 
native code, I very much doubt it.

Cheers,
Slava


>
> I don't know much about implementation, but Ubuntu Touch somehow 
> archives this with AppArmor.
>
> Regards,
> Andrew