Friday, June 1, 2012
Today I find myself remembering the day Fedora Core 2 launched. As you may remember, I used to be an SELinux developer. Today, as sandboxing becomes mandatory on the Mac App Store, I think we may be repeating the mistakes of the past.
Fedora Core 2 was the first major release of a Linux distribution to include SELinux support, though the user had to choose to turn it on during install. It enforced a security policy that was later called the strict policy which confined everything on the system. It was a disaster. Applications broke everywhere. Trying to take a preexisting general-purpose OS and confine all the apps in one action was a bad idea.
Red Hat quickly realized this and changed courses. They created a new security policy they called the targeted policy. For this policy, they left most of the system unconfined and only confined a few (~13) high-payoff apps (apache, mysql, etc.). For Fedora Core 3, they removed the strict policy and replaced it with the targeted policy. Over the course of future releases, they expanded which applications were confined significantly while improving the underlying system to handle those new apps better at the same time.
Today, Apple seems to be taking a similar approach to Fedora Core 2. They're forcing an initial implementation of a security mechanism onto all apps that come from the largest source of apps on the platform. Rather than allowing for organic growth in the wild the way Red Hat did with Fedora Core 3 onward, Apple is choosing to start with everything.
Interestingly, the pain will be felt differently than the pain of SELinux in Fedora Core 2. Apple has chosen to grandfather in any app in the store before today, but no updates (except for minor bug fixes) will be allowed. So, instead of everything breaking on user systems the way they did on Fedora Core 2, things will keep working. They'll just either stagnate due to lack of updates or lose features in future updates in order to work within the incomplete sandboxing technology that currently exists.
I do realize that it probably would not have worked for Apple to force certain Mac App Store apps to sandbox early, and allow others to wait till later the way Red Hat developed the targeted policy. They need consistent rules for all Mac App Store developers. That said, I believe that Apple should have at least led the way by sandboxing all of their own apps sold through the Mac App Store (I believe they have not sandboxed a single one of their 17). This would have showed them a lot of the deficiencies in the current sandboxing mechanism and given them the chance to improve it before forcing it on all of the rest of us.
Oh, and in case you were wondering about Pear Note in specific, I'm still waiting on Apple to get their own frameworks working under sandboxing.