status of kde/plasma kiosk framework in kf5

Kai Uwe Broulik kde at privat.broulik.de
Wed Dec 7 09:46:29 UTC 2016


Hi Thomas,

good to hear back from you!

> - Menu for "Edit Applications"  in the launcher called "Anwendungsübersicht" and "Anwendungsmenü" (its working in "Anwendungs-Starter")

That was an oversight, I just uploaded a patch to fix this :)

The others are just shortcuts to system settings modules. You can use the [KDE Control Module Restrictions] section in kdeglobals, for instance:

device_automounter_kcm.desktop=false

(You can use kcmshell5 --list to find out the names, there's no extensive documented list on what applet uses which, unfortunately)

Even if the entries still show up in the context menu when you restricted them (which would be a bug you should report) kcmshell will still refuse to open it, so it should be purely cosmetical then.

I *think* the network editor, not being a regular system settings module, cannot currently be restricted. :/ Needs to be figured out.

> libreoffice (even when using the kde file open dialogs - libreoffice kde integration ) still allows to enter any folder you like..

This is somewhat to be expected as KIOSK only operates on KIO (KDE's own IO Layer). I think you need to use SELinux or AppArmor for that? I'm not an expert in that, though. 

> i also kinda hacked my own secure environment where shell access is not allowed by placing a .desktop file in .local/share/kservices5/ServiceMenus/ that allows me to open a terminal in the current folder ^^
> dolphin shouldn't allow this.. right?

Konsole's desktop file has a key X-KDE-AuthorizeAction=shell_access that tells klauncher to refuse to start it when such restriction is in effect.

I'll cc David Faure as KIO master whether he knows how to prevent the system from picking up custom applications and services in the user's home. I thought that the .desktop files needed to be marked executable but that doesn't seem to be the case. David? Maybe "run_desktop_files" restriction helps here?

Also, I bet a user can still launch xterm even with shell_access. Problem about KIOSK is that it's really only enforced be KDE stuff, so again: perhaps have a look at SELinux / AppArmor to make sure everyone plays well ;)

> Getting "dolphins" places panel locked too when other toolbars are locked - is this a featurerequest or a bugreport?

I don't fully understand, which restriction does what exactly to the panel in Dolphin?

> if i'm done with it i'm definitely going to write an extensive howto and a little program :-)

Looking forward to it!

> PS: i am working on a plasma based "secure exam environment" (for austrian schools) which i'm going to present at the "day of digital education" at klagenfurt's university in 2 months.

Sounds interesting, looking forward to hearing your report how it went. We're glad you've chosen Plasma for this challenge! 

> most of it is kdialog for now

We could surely help you make it prettier than that :)

Thanks slot for your stress tests and feedback,
Kai Uwe 


More information about the Plasma-devel mailing list