Recently found out about YH and was wondering if it was possible to sandbox each app separately (or if they are sandboxed by default).
In case they are sandboxed, is it possible to move an app and its data between physical servers?
Thanks in advance
Apps are not sandboxed as in containerized. We use the base tools given to us by Debian: user/group ownerships, ACLs, systemd protection flags, etc.
Containerized or not, it is still possible to move an app between physical servers by backing them up and restoring them elsewhere.
Debian 12 had introduced Apparmor 3 by default in the install. Apparmor profiles can be tweaked to restrict application capabilities. It’s quite effective but time-consuming as too many restrictions can prevent applications from working… I wonder how this will be implemented in Yunohost.
I’m not sure this would be anything really new compared to what we already do with systemd tweaking (which also includes “capabilities”, dunno if that refers to the same thing)
Can you tell more about this?
I think this is what Aleks is referring to :
This file has been truncated.
Description=Small description of the service
# Sandboxing options to harden security
# Depending on specificities of your service/app, you may need to tweak these
# .. but this should be a good baseline
# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html