[gnome-desktop/wip/hadess/more-docs: 3/3] README: Explain thumbnailing security model

[Bastien Nocera <hadess src gnome org>]

commit 87435e7c7b06b914fbd51e2a3a6ed0d8d4acc054
Author: Bastien Nocera <hadess hadess net>
Date:   Thu Sep 24 16:43:44 2020 +0200

    README: Explain thumbnailing security model
    
    Thanks to Simon McVittie for the original writeup.

 README.md | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
---
diff --git a/README.md b/README.md
index 7d99d09c..b8d26fc8 100644
--- a/README.md
+++ b/README.md
@@ -32,3 +32,28 @@ Bugs should be reported to the [Issues section of gnome-desktop repository](http
 
 Please read the HACKING file for information on where to send changes or
 bugfixes for this package.
+
+Thumbnailing sandboxing
+=======================
+
+The thumbnailer sandboxing was built to prevent a number of different
+potential attack vectors.
+
+- The attacker wants to steal arbitrary secrets from your machine (a
+  confidentiality failure), or overwrite arbitrary files (an integrity
+  failure).
+- The attacker is assumed to be capable of inducing you to download a
+  crafted thumbnailable object (picture, video, ROM) that will crash a
+  thumbnailer and get arbitrary code execution.
+- Stealing your secrets is prevented by:
+  - only giving the thumbnailer access to the file it's thumbnailing,
+    plus public files from `/usr`-equivalent places, so that it can't
+    leak the content of a secret file into the thumbnail of a less-secret
+    file.
+  - not giving it internet access, so that it can't upload the file it's
+    thumbnailing to Wikileaks.
+- Overwriting arbitrary files is prevented by making the output of the
+  thumbnailer the only thing that can be written from inside the sandbox.
+- Subverting other programs to do one of those is (hopefully) prevented by only
+  allowing it to output PNG thumbnails, because we hope PNG reader libraries are
+  a lot more secure than libraries to read exotic image formats.
\ No newline at end of file