Linux namespaces lets you pretend you are a root
Today I installed Ubuntu 15.10 on my virtualbox. To try out linux namespaces. Within a year these things might make desktop applications as secure as what web applications are.
If you have Linux 4.2, the following command gives you a fake root shell:
unshare --map-root-user -pimfun --user bashYou end up into a mode where you can mount/umount in ways that are thought to be "harmless". What I checked, you can do:
mkdir bin proc dev lib sysmount --rbind /dev devmount --rbind /bin binmount -t sysfs sys sysmount -t proc proc proc
Unfortunately you cannot mount loopback devices and peek inside file images, but the mountpoints you create aren't visible outside from the container and are lost when you drop the shell. And you can do a chroot here without actually having privileges for doing that:
mkdir appcp /bin/busybox appchroot app /busybox sh
As long as you ensure the applications have everything they need to run in the chroot they will happily run there. Sans kernel bugs, the container can be made sturdy enough that programs have only access to what you let them to access.
Although the program in chrooted environment no longer can access most files, it could still tamper with /dev or /sys to the extent what the user can do. Print files or access webcam. To prevent that you also have to set unprivileged user inside the container which you can assign to the program. I didn't figure out how to do it yet.
Adding a container around desktop application is crufty way of ensuring that it won't fuck your files. Better approach would be to upgrade system calls to allow the process access only what it got from its parent. Though I doubt anyone will be rewriting linux system call tables anytime soon.