I’ve been thinking. Android implements app permissions on top of Linux, Flatpak does it too. But why is it it’s not part of the kernel?
Like all executable files would be sandboxed and would only be able to access syscalls and parts of the file system if they were allowed to. Making sandboxing the default instead of having to restrict programs.
I’m not a kernel developper so this question may be naive, but it bothers my mind. I guess part of it is because of historical reasons but are there any practical ones that make it not feasable?
EDIT : Thank you all for your answers, almost all of you were very nice and explained things clearly
Mainly because it’s not the kernel’s job. It provides abstractions to access the hardware, manages memory and manages processes, it doesn’t care what userspace does that’s userspace’s problem.
The kernel is responsible for enforcing security policies, but not for writing them or discovering them. It doesn’t know what an “app” is, or what a permission would look like.
It’s the userspace that assigns labels to files and SELinux policies so that the kernel is programmed to know what the boundaries are. As an example, when you log in on a Linux computer, logind ends up assigning your user access to the keyboard, mouse, display and audio to your user and then starts your session and that’s how you get access to those
/devnodes. If you switch user they’re yanked away from you so the other user can use them without you snooping on it.Userspace uses the kernel’s features to implement the permission systems. That’s basically what Flatpak does: leverage those kernel features to sandbox the application. And it works great and is effective.
Android also uses the Linux kernel and its features for its own sandbox and permission system too.
Generally, the kernel provides the tools for userspace to be able to do things, that’s its purpose. For example all the OpenGL and Vulkan stuff is in userspace, not the kernel, the kernel doesn’t know what Vulkan is and doesn’t care. It mediates access to the GPU and reserving memory on it anf uploading code to it. The code comes from your GPU driver in userspace.
A system where everything is sandboxed by default exists too, you do that with a rule that denies everything that’s not explicitly labeled for being allowed.
Only your package manager knows, at install time, how to label an application such that it only have access to the stuff it needs access to. That information have to come from somewhere.
Security is inherently a compromise. You’ve always been able to mount
/homenoexec so users can’t execute non-approved stuff. But then Steam doesn’t work, none of the games work because that makes them all foreign executables you’re not allowed to execute. Steam has Flatpak-specific code to make it work with the nested sandbox.It’s up to the distros to make those choices for the desired user experience. Most regular distros are a bit old fashioned and leaves a lot of freedom to the user. And you can have a distro for workstations at offices where you really cannot run anything but company software, for security. Or a distro like Steam OS so regular users can’t really break it.