Ill give it a shot. Ive been feeling quite vulnerable on 16.04 due to the absurd amount of unfixed bugs. I have a couple of questions
- its mentioned that it does not have access to documents and downloads within the user folder. When it wants/needs read access, how am I told?
- if it doesnt have access to these folders, does it only write to its own subset?
- is it possible to make my home downloads folder an aggregate of the application downloads?
- when uninstalling/purging, since its sandboxed it deletes all of the content or keeps it? Can I force removal as well?
- how does subgraph deal with shared services/folders/info? Can I share a service with another user? Can I share the network setting modifications with other users?
- how can I prevent an application from using the network without my knowledge?
- are the tools like nethogs/top for subgraph that can take advantage of the compartments to show a more realistic view of whats going on?
These are great questions. We have a Gnome shell plug-in to move files into sandboxes while an application is running. Certain applications also have shared directories (e.g. "Downloads/TorBrowser", "Documents/LibreOffice"). This is a UX work in progress though, neither of these are adequate, though together they're workable.
re: Applications and network access: we have an application firewall, unique to Linux-based OSs. It's basically Little Snitch for Linux. There is a screenshot here:
Keep in mind that the project is very young. We are just getting started, tbh. With questions like these you should idle in our IRC channel where we talk about all of this stuff: OFTC/#subgraph.
Will do! Im very excited for this. Containerization and safety is a very important problem to me. Im not particularly interested in running a docker instance or a vm just to use an application. And if I do, id prefer it being automated.
- its mentioned that it does not have access to documents and downloads within the user folder. When it wants/needs read access, how am I told?
- if it doesnt have access to these folders, does it only write to its own subset?
- is it possible to make my home downloads folder an aggregate of the application downloads?
- when uninstalling/purging, since its sandboxed it deletes all of the content or keeps it? Can I force removal as well?
- how does subgraph deal with shared services/folders/info? Can I share a service with another user? Can I share the network setting modifications with other users?
- how can I prevent an application from using the network without my knowledge?
- are the tools like nethogs/top for subgraph that can take advantage of the compartments to show a more realistic view of whats going on?
I think this has a lot of potential!