[AnthonyMouse]

> Sandboxed programs have their own $HOME. You can drag & drop files into their $HOME. Full stop.

That is not very good.

Suppose you create an audio file with Audacity and a series of images with ImageMagick and GIMP, then use ffmpeg to combine them into a video and VLC to view it. They're all operating on the same files.

What we need is to add an application list to filesystem ACLs and then have security groups like Video and Finances which contain apps. Because GIMP should be able to access your photos but not your accounting spreadsheet.

It should even be possible to do some of this automatically by file type, e.g. GIMP can access any PNG file the user can but not any spreadsheet file, or read a shared library but not write to it.

[Reelin]

Very much this. Something resembling an arbitrary number of groups per file (essentially a set of tags) and an analogous (arbitrarily numerous) set of tags applied to a process which match the launched binary. Bonus points if file format or other characteristics can somehow be worked in to automate things a bit while still maintaining security. A simple tagged group membership approach like this seems like it would be reasonably easy to use without getting in your way.

Does anything remotely resembling this already exist?

Edit: Before anyone says that SELinux resembles this, as far as I'm aware SELinux policies are anything but simple to set up and use correctly. However, SELinux types are inherited from parent directories and do look an awful lot like this. The main thing missing would seem to be that I can't find how to apply multiple contexts or types to a single file, but perhaps I'm just failing to navigate the manual?

[int_19h]

> What we need is to add an application list to filesystem ACLs and then have security groups like Video and Finances which contain apps. Because GIMP should be able to access your photos but not your accounting spreadsheet.

This isn't that hard in a technical sense. But I very much doubt you can get the casual users to actually do that. They'll just end up with one giant group, because it's the easiest and doesn't require understanding the concept of security boundaries.

Basically, it'd be Vista UAC prompts all over again.

[kilburn]

If you are interested in trying something similiar, this is what Qubes OS [1] does, albeit with a different implementation (separate VMs for separate tasks).

It is more cumbersome to use than the current mainstream paradigm, but not that much!

[1] https://www.qubes-os.org/intro/

[andrewflnr]

It might work if you hardlinked the directory containing the shared files into all your apps' workspaces (aka $HOMEs). I would just be worried about leaking privileges through the link somehow.

[AnthonyMouse]

It also feels a lot like just recreating the original unified $HOME, and requires everything to be sorted by type. If you wanted to organize files by project and each project contained its own images, code, documentation, etc. then if you map the project directory for GIMP it can read all the files even though it should only get access to the images.