status of kde/plasma kiosk framework in kf5

Sun Dec 18 20:08:00 UTC 2016

hello everybody,

1)
thx for fixing the part with the application launchers :-)

2)
device_automounter_kcm.desktop=false
works fine.. thank you for that...  networkmanager is not in the list by now

3)
well i just thought that libreoffice (with kde integration) was using a 
kde module for that therefore i thought it should respect the kde 
restrictions

4)
ok.. so i could remove xterm and well...  lets say if a student is that 
good in handling linux he/she deserves to get more out of the system.. 
in public of course this still would be a problem

5)
well dolphin has a menubar, a toolbar and sidebars (for example the 
"places" panel)
if i lock toolbars the places panel is still moveable and can be 
removed..  it is not treated as toolbar..

6)
thank for the offer! i used the last week to get my self up to speed 
with pyqt5 and python and i came up with some graphical user interfaces 
for my simple scripts
http://life-edu.eu/news.html

7)
any idea why a single launcher in the main panel (Konsole) still shows a 
context menu while ALL the other respect the setting? something wrong in 
the .desktop file?

thank you all!
thomas

On 07.12.2016 13:00, enterprise-request at kde.org wrote:
> Send Enterprise mailing list submissions to
> 	enterprise at kde.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://mail.kde.org/mailman/listinfo/enterprise
> or, via email, send a message with subject or body 'help' to
> 	enterprise-request at kde.org
>
> You can reach the person managing the list at
> 	enterprise-owner at kde.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Enterprise digest..."
>
>
> Today's Topics:
>
>     1. Re: status of kde/plasma kiosk framework in kf5 (Kai Uwe Broulik)
>     2. Re: status of kde/plasma kiosk framework in kf5 (Marco Martin)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 07 Dec 2016 10:46:29 +0100
> From: Kai Uwe Broulik <kde at privat.broulik.de>
> To: "enterprise at kde.org" <enterprise at kde.org>, Plasma
> 	<plasma-devel at kde.org>
> Cc: David Faure <faure at kde.org>
> Subject: Re: status of kde/plasma kiosk framework in kf5
> Message-ID: <E1cEYo0-0008J3-5S at smtprelay02.ispgateway.de>
> Content-Type: text/plain; charset=utf-8
>
> Hi Thomas,
>
> good to hear back from you!
>
>> - Menu for "Edit Applications"  in the launcher called "Anwendungsübersicht" and "Anwendungsmenü" (its working in "Anwendungs-Starter")
> That was an oversight, I just uploaded a patch to fix this :)
>
> The others are just shortcuts to system settings modules. You can use the [KDE Control Module Restrictions] section in kdeglobals, for instance:
>
> device_automounter_kcm.desktop=false
>
> (You can use kcmshell5 --list to find out the names, there's no extensive documented list on what applet uses which, unfortunately)
>
> Even if the entries still show up in the context menu when you restricted them (which would be a bug you should report) kcmshell will still refuse to open it, so it should be purely cosmetical then.
>
> I *think* the network editor, not being a regular system settings module, cannot currently be restricted. :/ Needs to be figured out.
>
>> libreoffice (even when using the kde file open dialogs - libreoffice kde integration ) still allows to enter any folder you like..
> This is somewhat to be expected as KIOSK only operates on KIO (KDE's own IO Layer). I think you need to use SELinux or AppArmor for that? I'm not an expert in that, though.
>
>> i also kinda hacked my own secure environment where shell access is not allowed by placing a .desktop file in .local/share/kservices5/ServiceMenus/ that allows me to open a terminal in the current folder ^^
>> dolphin shouldn't allow this.. right?
> Konsole's desktop file has a key X-KDE-AuthorizeAction=shell_access that tells klauncher to refuse to start it when such restriction is in effect.
>
> I'll cc David Faure as KIO master whether he knows how to prevent the system from picking up custom applications and services in the user's home. I thought that the .desktop files needed to be marked executable but that doesn't seem to be the case. David? Maybe "run_desktop_files" restriction helps here?
>
> Also, I bet a user can still launch xterm even with shell_access. Problem about KIOSK is that it's really only enforced be KDE stuff, so again: perhaps have a look at SELinux / AppArmor to make sure everyone plays well ;)
>
>> Getting "dolphins" places panel locked too when other toolbars are locked - is this a featurerequest or a bugreport?
> I don't fully understand, which restriction does what exactly to the panel in Dolphin?
>
>> if i'm done with it i'm definitely going to write an extensive howto and a little program :-)
> Looking forward to it!
>
>> PS: i am working on a plasma based "secure exam environment" (for austrian schools) which i'm going to present at the "day of digital education" at klagenfurt's university in 2 months.
> Sounds interesting, looking forward to hearing your report how it went. We're glad you've chosen Plasma for this challenge!
>
>> most of it is kdialog for now
> We could surely help you make it prettier than that :)
>
> Thanks slot for your stress tests and feedback,
> Kai Uwe
>
> ------------------------------
>
> Message: 2
> Date: Wed, 07 Dec 2016 12:18:30 +0100
> From: Marco Martin <notmart at gmail.com>
> To: enterprise at kde.org, Plasma <plasma-devel at kde.org>
> Subject: Re: status of kde/plasma kiosk framework in kf5
> Message-ID: <1677411.VG9dNIxJRI at phobos>
> Content-Type: text/plain; charset="us-ascii"
>
> On Wednesday 07 December 2016 10:46:29 Kai Uwe Broulik wrote:
>> Even if the entries still show up in the context menu when you restricted
>> them (which would be a bug you should report) kcmshell will still refuse to
>> open it, so it should be purely cosmetical then.
>>
>> I *think* the network editor, not being a regular system settings module,
>> cannot currently be restricted. :/ Needs to be figured out.
> iirc it was recently ported to a kcm, so in future versions this shouldn't be
> a problem?
>
>