A current entry in Jolla’s blog deals with the sandboxing model that Jolla introduced in February with the release of Sailfish OS 4.0.1 “Koli” . The article goes into the current status and the plans for the future of this security technology at Sailfish OS.
As with other operating systems, sandboxing is designed to help improve user privacy by restricting what applications are allowed to do. This is done using the security technology of the namespaces in the kernel. This is a lightweight but effective mechanism that makes it relatively easy to define what resources each application can consume. Control over the authorizations is then passed to the user in a dialog when an app is started for the first time.
The current status
When it launched in February, sandboxing was limited to a selection of Sailfish apps. That didn’t change with the recently released Sailfish OS 4.2.0 »Verla« . Under the hood, however, preparations have already been made to apply sandboxing to third-party apps as well.
When an app runs in a sandbox, it must have a number of required permissions that are defined in an application profile. There are currently no third-party applications with defined profiles. A standard profile is also required, which is used when an application has not defined its own application profile. The standard profile must have sufficient permissions so that any previously authorized by the Jolla Harbor application Repository can work with it.
Define application profiles
There are currently plans to introduce sandboxing for all apps with Sailfish OS 4.4.0. As the planning is still at an early stage, the timing can still change. Starting with Sailfish OS 4.3.0, the apps that have explicitly defined their own application profile will run in a sandbox. In addition to preparing for the sandboxing of all applications, work is being carried out on the launch speed of apps at the same time by preloading frequently used libraries in memory. With version 4.3.0, so-called boosting will be activated by default for some sandbox applications such as camera, browser and e-mail applications.
Now, according to the blog, it is time for app developers to check their applications to see whether they are running in a sandbox or whether they still work outside of this security zone.