plasma security constraints

Aaron J. Seigo aseigo at kde.org
Sun Jul 13 19:34:19 CEST 2008 

On Friday 11 July 2008, Chani wrote:
> *launching external programs: this isn't entirely about security - if the
> screensaver is running, those external programs will be trapped below it,
> so that makes them rather useless. it's nice to let applets know, so that
> they can just not bother trying.

we'll also want this for certain lock down scenarios, such as untrustred 
downloaded scripts ...

> *running arbitrary commands: we have a plasmoid that allows you to just
> type in a command and run it. I don't think I have to explain why that's
> dangerous. :)

how is this differentiated from "launching external programs"? is there a 
situation where it would be Ok to launch arbitrary UI apps but not system 
commands?

> *arbitrary file read/write: this one needs splitting into several
> constraints, I think, but I'm not sure how to do it. first, should reading
> and writing be separate constraints? after that... well, filesystem access
> is risky. but there's also things like fish and ftp and so on (especially
> bad if ssh-agent is running). but I'm not sure I want to lump *all* kio
> protocols together, because one may want to allow http/https but not
> filesystem access. maybe split it like this:
> *local filesystem access
> *remote filesystem access
> *web (http/https) access

yes, with read/write for each.

> hmm, I wonder where a cd or ipod would fit in there...

unmounting/mounting volumes? (e.g. via Solid)

> *communication: sending messages using someone's identity would be bad.
> twitter on the screensaver would be better off turning read-only. whether
> you want people looking at your screensaver to be able to read incoming
> messages is your business...

right; so there's a general "untrusted individual" category

we shoul also be able to generate the above in an aumated fashion for QScript 
based applets. (the other languages are less hopeful as they contain a lot 
more builtins and the ScriptEngine authors for those languages don't have much 
focus on this aspect of script driven applets)

> *desktoppy stuff: application launchers, taskbars, systray, pager, etc...
> these only belong on a desktop, not the screensaver or anywhere else. they
> tend to assume we have a windowmanager, plasma-the-desktop, and all the
> usual stuff available. application-launchers also fall under the heading of
> "launching external programs". I need a better name for this category,
> though. :)

you can probably filter on the applet category here; Windows and Tasks, 
Application Launchers.

> so, any thoughts?
>
> oh, and a separate thing that came up while working on this: I think maybe
> X-KDE-ParentApp should be a list, not a single string. in case someone
> writes a plasmoid that, say, is useful to both amarok and the desktop.

X-KDE-ParentApp is already defined elsewhere and as used elsewhere actually 
makes sense as a single string. so we probably need something slightly 
different in plasma to augment this.

perhaps use X-KDE-ParentApp to say "this comes from Amarok" and X-
Plasma-{SOMETHING} to say "it's also useful outside of Amarok"?

as for the appletbrowser, it seems it will need to:

* allow defining allowable applet categories
* allow definition of a security profile
* allow defining not just the host app, but also if other apps are 
supported/desired?

i'd like to avoid going all the way with "define a constraint in 
KServiceTypeTrader syntax" ..

-- 
Aaron J. Seigo
humru othro a kohnu se
GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA  EE75 D6B7 2EB1 A7F1 DB43

KDE core developer sponsored by Trolltech

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part.
Url : http://mail.kde.org/pipermail/panel-devel/attachments/20080713/0fa78e71/attachment.pgp

More information about the Panel-devel mailing list