Re: Initial ideas on portals for file access

[Alexander Larsson <alexl redhat com>]

On tis, 2015-03-10 at 13:57 +0000, Allan Day wrote:
> Alexander Larsson <alexl redhat com> wrote:
> ...
> > I've been thinking a bit about file access in sandboxed apps.
> ...
> > There are a few ways such documents could be used by sandboxed
> > applications:
> >
> > * Application silos
> ...
> > * Allow app access to parts of $HOME
> ...
> > * Allow application access to files after interactive operation
> ...
> > * Implicit permission grants from interactive operations
> ...
> > So, what do we want to do here? I don't think the application silo
> > model is a good fit
> ...
> > We could allow partial HOME access
> > to some very trusted apps, but that doesn't really strikes me as a
> > proper sandbox solution.
>
> We need to keep cloud storage in mind here. I can imagine a future
> where each content application (such as your photo manager or music
> app) can be backed by an online account rather than defaulting to
> local-only storage. That online account could be filesystem-like [1],
> in which case other apps could access the same files (assuming they
> are given permission), but it might be a more specific service [2].
>
> I can also imagine some deployments where the system is preconfigured
> to only allow certain online storage providers, and local-only file
> storage is either limited or disabled altogether.
>
> We will also need to be able to have open, save and share dialogs that
> can span each of these types of file storage, so you can attach a
> photo to an email, irrespective of whether you use Flickr, OneDrive,
> or just the local disk in order to store it.

I think these are somewhat separate. If gnome-photos access photos via
flickr, it will be using some network IPC method to get those, and as
long as you have network access, the cookie permissions I'm talking
about above does not really come into play. Instead the permissions
there is all about the application having access to the authentication
cookie for flickr from gnome-online-accounts.

However, as you say they are somewhat related, because another
application which is not so photo-savy may want to access the files from
flickr without having any knowledge about these network apis at all.

The cookie stuff above is designed to be able to be backed on remote
storage too, we just make sure to download the file first. Obviously
that has to be taken into consideration when creating the file portal,
so that we can naturally extend it on the session side, but the
application should not be affected by that.

> A slightly different point - while content apps require comprehensive
> access to a storage location (since they need to be able to see every
> content item, and might want to change any of them),  I don't think
> that this is necessary for most apps. This could create issues with
> apps asking for unnecessary access - how is a user supposed to know
> that the access isn't necessary?

I don't have a good reply to this in general, other that "the user
trusts some entity that reviewed the app permissions". For instance,
gnome could run an app repository that contained "reviewed" apps, which
are essentially (gpg-signed) symlinks to the corresponding upstream
repos.

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                            Red Hat, Inc 
       alexl redhat com            alexander larsson gmail com 
He's a suave gay paramedic with no name. She's a hard-bitten renegade 
fairy princess with the soul of a mighty warrior. They fight crime!