integrated support for running GUI apps in containers, like Chrome OS Crostini

[markstos]

Clear Linux makes a compelling security-focused desktop with the emphasis on running most code in VMs, while also having good performance.

The lack of packaged software for the primary OS can be seen as a feature, as it pushes users to install packages within a VM instead, providing extra security protection.

Crostini

The emphasis on running GUI apps in VMs appears in some other desktop OSes with good security: Qubes OS and the Chrome OS "Crostini" project for running Linux containers within the CrosVM.

Crostini provides a very useful integration: After an apt get install of a GUI application within the Debian Linux container, a launcher icon appears on the parent Chrome OS desktop. When clicked, this icon will cause the related VM and container to spin up if not already running. Also, the right environment variables and sockets are available in the container so that the GUI apps in the VM run on the parent OS Wayland compositor.

Other work is done for to allow apps in the VM to access the GPU, audio and some filesystem access.

If this approach were taken on in Clear Linux, a full range of desktop Linux apps would available to Clear Linux users without the need for them to packaged for Clear Linux or even as Flatpaks.

The Crostini project is open source, so perhaps some of it could be re-used or inspire work on Clear Linux as a developer desktop OS.

https://chromium.googlesource.com/chromiumos/docs/+/master/containers_and_vms.md

GUI apps with Docker

It's also possible to run GUI apps with Docker and this approach could be used with Clear Linux today. This solution is a bit cumbersome in that it involves passing several arguments to each GUI app launched as a docker container. Plus, the integration with the parent desktop would take some extra work. Still, better support for this approach seems like it could be less effort than the deeper integration that the Crostini project is working on.

[ahkok]

flatpak is exactly this: sandboxed GUI applications. Why are you discounting flatpak as a viable solution for your use case?

[markstos]

Because I don't control the packaging of all the apps I might like to install.

Perhaps advocating and contributing to apps to have them packaged as flatpak is the answer, but that doesn't always address a present need today for an app that is not packaged as Flatpak.

Also, flatpak permissions are managed per-app, which is harder to reason about the permissions of a single VM.

For example, flatpak permissions may allow access to the full host file system, but there's no way that I'm aware of to even query which flatpaks have host access. For example, I have a Xournal Flatpak installed, and I see can it has filesystem host access with:

 flatpak info --show-permissions net.sourceforge.xournal/x86_64/stable

On the other hand, if multiple GUI apps are in a single VM, there is a single security configuration for the the VM that you control, rather then a bunch of permissions policies for Flatpak packages that the package authors control.

Also, flatpak shares all the security concerns of containers-- they share the same kernel with the host. It's possible to run flatpak apps within a lightweight VM, like the flatkvm project is doing. Is Clear Linux isolating Flatpaks within VMs like that?

[markstos]

More concerns about Flatpak security: http://flatkill.org/ Hopefully the Flatpak security story has improved since that was published.

[markstos]

I have the Firefox Developer Edition Flatpak installed. It has access to my entire home directory, when I'd only like to have access to my ~/Downloads folder. That permission choice was made by the Firefox Flatpak packager, not me. If Firefox was running in a VM, I could chose to mount my ~/Downloads folder into the VM and nothing else from my home directory.

[ahkok]

Thanks.

One of the bigger problems for clearlinux is to avoid building something new that could be satisfied by fixing something that already exists, which is why I was asking.

but that doesn't always address a present need today for an app that is not packaged as Flatpak.

This isn't solved and possibly made worse by inventing something new.

Also, we don't want to rely on other OS binaries since they often lack the acceleration and (worse) security patches, so we'd effectively be doing lots of extra work.

Your general suggestion is of course entirely valid, but perhaps better classified as an ecosystem adoption problem: Sandboxed native GUI applications don't exist, and no desktop environment provides full integration for it. The best approach currently actually is flatpak, since it has the broadest adoption and features. That may be debatable of course, but it's certainly well integrated in gnome/freedesktop.org stacks.

[markstos]

Thanks for the reply.

Perhaps Clear Linux could make a version of flatkvm that uses Kata Containers instead of QEMU/KVM.

That would combine if the benefits of Flatpak with the security of Kata Containers.

https://github.com/flatkvm/flatkvm