taking my toys and going to the sandbox

One of the coolest new toys that I was recent told about that’s available in Linux (at least Fedora/RHEL 6, not sure about Debian-based stuff or Suse) is the sandbox application. A massive hat tip to Dan Walsh, the author of this app, for showing it off in a recent SELinux talk.

From its man page:

Run the cmd application within a tightly confined SELinux domain. The default sandbox domain only allows applications the ability to read and write stdin, stdout and any other file descriptors
 handed to it. It is not allowed to open any other files. The -M option will mount an alternate homedir and tmpdir to be used by the sandbox.
If you have the policycoreutils-sandbox package installed, you can use the -X option and the -M option. sandbox -X allows you to run X applications within a sandbox. These applications will start
 up their own X Server and create a temporary home directory and /tmp. The default SELinux policy does not allow any capabilities or network access. It also prevents all access to the users other
 processes and files. Files specified on the command that are in the home directory or /tmp will be copied into the sandbox directories.
If directories are specified with -H or -T the directory will have its context modified with chcon(1) unless a level is specified with -l. If the MLS/MCS security level is specified, the user is
 responsible to set the correct labels.

That all sounds well and good. But how does this help me? WELL… the first one that popped into my head is opening up documents from the web that I’m not really sure about. A PDF from someone or some site that you think might contain a script that does bad things, but I REALLY want to look at it. Take a peek in a sandbox!

$ sandbox -X firefox ~/test.pdf

and *poof*, Firefox opens up the PDF for me. BUT, when looking through this instance of Firefox can’t see my home directory contents, or my normal temp folder. It’s also running inside it’s own X server instance. And most importantly, the instance is running in an extremely limited SELinux context.

So if this PDF contains a nasty of some sort that is trying to read my plaintext file that contains my web passwords and creditcard data, it can’t see it to get to it.

It’s all nice and easy and locked down and safe(r) and way easier than creating a chroot jail.


Is Ubuntu getting itself ready for the big F word?

FULL DISCLOSURE: I’m an active member of the Fedora Project community, and I also happen to work at Red Hat, Inc. (not in a code development engineering role).

No.  Not that F word. In an open source project, especially one with large corporate backing, there’s an even worse utterance out there…


Is the Ubuntu project setting itself up for a fork down the road? 

Obviously if I could tell the future I would be doing much more productive things than sorting through Canonical’s messy handling of their Linux distribution. Winning on the ponies at Aqueduct jumps to mind. At any rate, I have no idea if the SABDFL will hold his ship together or not, but there is evidence to suggest that it could easily be heading for a messy fork in the river.

What is Upstream? What is Downstream?

This has always confused me, but where does “derived” fit in the standard model of how an open source project lives. It’s derived from Debian, but what is the actual relationship? Is it upstream from Debian, Downstream? Were they just standing in line together at the DMV one Saturday? It’s a small issue, but it nags at me to no end.

The “Community” Organization

Back in the days of Dapper Drake, it was funny to refer to Mark Shuttleworth as the “Self-Appointed Benevolent Dictator For Life”. It was cute. It was quirky. It was sort of orangey-brown. Just like Ubuntu. But Ubuntu was about togetherness and community, and it was the coolest Linux distro out there at the time. Upstream drivers and a 6-month release cycle and holy crap, it supports my video card!

Ubuntu’s dictator also has the large task of staffing Ubuntu’s Community and Technology governing entities.

The Community Council’s charter is to:

The social structures and community processes of Ubuntu are supervised by the Ubuntu Community Council. It is the Community Council that approves the creation of a new team or project, along with team leader appointments. The council is also responsible for the Code of Conductand tasked with ensuring that community members follow its guidelines.

The Technology Board is responsible for:

The Ubuntu Technical Board is responsible for the technical direction that Ubuntu takes. It makes decisions on package selection, packaging policy, installation systems and processes, kernel, X server, library versions and dependencies. The board works with the relevant team to try to establish a consensus on the right direction to take.

Fast forward to 2012 and Canonical is tryin to monetize Ubuntu, squeezing it into anything that someone has the guts to ask them about. Sadly squeezing into places where Linux itself has been for ages is the most common use case I’ve been able to find (Ubuntu TV and Ubuntu in your car).  You also have 8 years of Mark Shuttleworth picking the people on and direction of the two major governing bodies within Ubuntu itself. Fun examples of this attempt to monetize Ubuntu can be found in the latest releases Amazon “integration” (shame on you, Amazon) and also in this bug, talking about searches run from the Unity dash.


I’ve used Unity for a grand total of 8 minutes. But I know that one of two scenarios about it is true:

1. the minority of unsatisfied Unity users is exponentially more vocal than the satisfied majority


2. there are a LOT of Ubuntu users out there that are NOT HAPPY WITH UNITY.

A search of Mark Shuttleworth’s blog for “unity” shows one early conceit that the original versions “sucked”, but that they are now “well positioned”. Whatever the community wants, it looks like Unity isn’t going anwwhere except into Ubuntu.

Pulling Bits out of the Community’s Hands

I’ve seen spin on this article and the blog post that caused it to be written, but I can only read it one way that makes sense to me.

Canonical (read Mark Shuttleworth) believes that a small group of people in a closed environment can do better work than a large community.

I’ve “done” FLOSS for a while now, and if there is a single immutable truth it is this: Open Source is noisy and often messy. But it’s the noise and mess where you find the genius that changes the world. The off-hand idea in a minor listserv. The idea floated as “impossible” or “impractical”, just like the GCC was back in the day.

I don’t care if he releases all of the code under the GPL after he makes it. When he decided to create skunkworks teams of his hand-selected people, Ubuntu stopped being a community project. And maybe it never was. I’m not saying that Ubuntu is invalidated as a product because it’s not community-driven. I’m just saying stop talking the talk. One thing I do know is that if happens within Fedora (a little response to this), it happens out in the light of day, on a mailing list or in IRC or in the web tools. If I were a contributor to the Ubuntu project I’d be seriously thinking about offering up my time and talents.