Are you familiar with object capabilities? An alternative permission model which I think might help make fine grained permissions easier to manage

Oh yes, I'm a fan though not an expert. My previous Mu project used that idea. I'll be working that in here as well.

I ask because I am familiar with Android/Google's permission model where if you want to load or save a single file, you must give broad permissions to all user files. I am not sure if this is the case here.

I think the right model is decoupling file selection (done by a trusted computing component, from set of files) and file access - authority is granted by the actual transmission of the selected file to the app (as a capability).

i.e: Instead of passing a file string/id into a global namespace, and separately giving permissions into that namespace - there is no globally accessible namespace of files, and you give the open file itself to the app.

Yeah, I don't have capabilities. Yet 🙂

Like I said, I'm not an expert and would appreciate someone going over what I come up with. What I had in https://github.com/akkartik/mu (really https://github.com/akkartik/mu1) was quite hokey.

I believe trusted components basically work by preventing automation and hindering discoverability. Is that accurate?

One thing I care about is being able to continue using an app without granting all requested privileges. For example, easily creating a fake file system with honeypot data. That feels orthogonal to capabilities. They don't preclude it, but they also don't make it easy by themselves.

So I feel like there are some trade-offs to weigh here. But maybe I'm wrong and it's all a solved problem. Pointers most appreciated.

Not sure what you mean about hindering discoverability. Anyway, I don't think it's a solved problem at all. Object capabilities have never made it, at least to the mainstream, as far as I'm aware. But I'm a big fan of the idea.

https://www.researchgate.net/publication/220910162_EROS_a_fast_capability_system was a very interesting attempt at object capabilities

Thanks! Let me read (reread) that. I only meant solved technically. Basically I'm wondering how you can build say a file browser.

deno is doing something similar https://deno.land/manual@v1.17.1/getting_started/permissions

This seems apt: https://justinpombrio.net/2021/12/26/preventing-log4j-with-capabilities.html

Yeah, it's interesting!

I think we can probably be finer-grained than a giant "Network" capability, too.

Probably a capability to connect to specific domains, or maybe all domains but only in specific protocols or only in limited ways.

Oh yes, that is all planned.

One challenge with networking is that reads and writes become less obvious. Parsing packets may not be sustainable. But we can certainly track what host we're connecting to.

If you put constraints by restricting access to APIs, and not grant raw packet access - I don't think it would be a difficult problem?