|
|
|
|
|
|
by Blikkentrekker
1189 days ago
|
|
|
These permission systems in practice don't really do as much to shield users as many think though. People often just drop the word “sandbox” and say “applications are sandboxed” and that that means that they're safe but it's really not that simple in practice. What often happens is that such applications still need to communicate over some socket with some server that was never designed for such a sandbox, say PulseAudio, and in many cases can then simply instruct the outer daemon to do whatever they want with full permission, either by design, or by oversight since the no one who wrote the outer daemon thought about it at the time since they were never designed for that purpose. |
|
|
This is why there's a push to do as much as feasibly possible in userland in both macOS and Linux, so even when a bad actor tries to route through system components the blast radius is limited. Realistically, they should be sandboxed too — an audio daemon for instance has no business directly accessing storage or network facilities for example.