Right now, you get most of your Linux software from your distribution’s software repositories. Those applications have to be packaged specifically for your Linux distribution, and you have to trust them with full access to your Linux user account and all its files.
But imagine if developers could distribute applications in a standard way so you could install and run them on any Linux distribution, and if those applications ran in a “sandbox” so you could quickly download and run them without the security and privacy risks.
That’s not just a dream. It’s the goal of the GNOME desktop-affiliated Sandboxed Applications project, and the first fully sandboxed application is already here. A preliminary version of this project is planned to be released in GNOME 3.16, which should be in the next release of Fedora—Fedora 22.
Why this is awesome
There are two key parts to this project.
One is a cross-distribution package format. The package includes all the software it requires as well as a “base system” of software it requires from that distribution. For example, a package might depend on “GNOME 3.16” or “ KDE 5.1.” (That’s right—in spite of the GNOME affiliation, this project can work across various different desktop environments.) The Linux distribution would then be responsible for installing and providing the base software the application depends on. Rather than a package that only works on Fedora 21, you’d get a package that works on every Linux distribution capable of providing the standard GNOME 3.14 base system. This sort of thing has been tried before with projects like Zero Install, and hasn’t taken off. But it’s a good, noble goal.
The sandboxing part of the project is fresher and more exciting. Those applications you install are locked down to the minimal resources they require, and are isolated from the rest of your system.
For example, the first sandboxed app is an open-source game called Neverball. This game is fairly self-contained, and the sandbox can take advantage of that. The sandboxed Neverball game has no hardware access (aside from the 3D graphics access it needs), no network access, and no access to your user account’s files. It can only output audio via PulseAudio, and it can only output video and receive input via the Wayland graphics server. It can’t see anything else you’re doing on the computer, whether they’re background programs or just other windows on your desktop.
The requirement for Wayland might be a sticking point. While most of the Linux ecosystem is moving towards Wayland, Ubuntu is sticking to its own Mir display server, which it argues better suited for Ubuntu for phones and the long-term goal of convergence. These sandboxed applications probably won’t run on Ubuntu’s Unity desktop any time soon.
There’s no doubt that this is a forward-looking solution. Imagine being able to install an application on any Linux distribution without worrying about different package formats. And that application would be locked down tight so it had only minimal access to your system, protecting you not only from its authors including malicious code, but from security vulnerabilities in the code. An attacker could crack that application but would only be able to play in the little sandbox.