[Usability] Content Separation in GNOME

[Ivan Gyurdiev <ivg2 cornell edu>]

Hi,

I have no idea what the right mailing list is to post this message - 
there are hundreds of them on GNOME's website, and I'm confused.
In any case, my proposal is related to Usability, so I decided to
email here.

I'm helping improve the Fedora SElinux implementation, and I'm
particularly interested in "desktop" applications, and how they might be
confined to minimum privilege by future security policies. 

Currently applications such as sound-juicer, abiword, gnumeric, etc..
require full read/write access to the user's /home directory.
This is bad for security, because the /home directory contains
all kinds of important settings for applications, mixed-content
documents, and things downloaded from the Internet, which may contain
hostile content. 

I would like to propose introducing content folders to GNOME, similar to
Windows' "My Documents", "My Music", etc.. this will improve usability
by creating a structure where the user can organize his or her
documents, as opposed to storing everything in /home. This will
improve security by allowing us to label such folders with
individual security context, and only allow applications to 
read/write to that particular context.

I proposed the following as a first draft to NSA-list, but the concept
is important, not the exact folders - I'm sure you can figure out a
better scheme:

~/content - ROLE_content_t
~/content/desktop - ???
~/content/downloads - ROLE_untrusted_content_t
~/content/media - ROLE_media_content_t
~/content/documents - ROLE_documents_content_t
~/content/mail - ROLE_mail_content_t
~/content/export_web - ROLE_httpd_user_content_t
~/content/export_samba - ROLE_samba_share_t
~/content/export_p2p - ROLE_p2p_share_t

I am thinking of short lowercase names in the directory hierarchy, which
will have more descriptive Windows-style names in GNOME, integrated
with the Places menu. In addition, it is important for the individual
GNOME apps to present to the user the right place to store to by
default. For example, sound-juicer would store files in ~/content/media.

The way SElinux would work is - individual gnome applications
will get their own security policy. Currently most of them run within
the same user_t context that has extensive privileges. The application's
policy would restrict it from reading/writing elsewhere. 

Nautilus and applications that don't have a policy yet, or don't follow
this scheme, would remain in user_t. user_t can read/write to all of
those folders, and relabel to/from each context. Also, Daniel Walsh has
a patch for nautilus that shows the SELinux context. I am thinking that
this can be integrated, and all the types above can be marked
"customizable" types, that the user is free to relabel to/from. Then
nautilus can have a drop-down box in the Properties that allows
the user to change the SELinux context to one of those things.

It was suggested on NSA-list that relabeling could also occur
automatically, upon opening a file, after filtering through
a virus scanner. For example, you would download a movie file from the
Internet. This file could contain hostile content, and would go under
~/content/downloads marked untrusted_content_t. Then when the user
clicks on it in nautilus, the mime type would determine a proper target
context to relabel to, and the user would be asked: "You are about to
relabel potentially hostile content? Are you sure you want to do this:
Yes | No | Scan w/ virus scanner, checkbox: do not ask again, checkbox:
scan all files of this type". This could also be triggered by copying a
file in nautilus".

This proposal does not apply strictly to GNOME, but to other Desktop
environments as well, although I haven't thought about integration in
other environments...

Comments?

-- 
Ivan Gyurdiev <ivg2 cornell edu>
Cornell University