Re: [Usability] Content Separation in GNOME

Ivan Gyurdiev wrote:
I proposed the following as a first draft to NSA-list, but the concept
is important, not the exact folders - I'm sure you can figure out a
better scheme:

~/content - ROLE_content_t
~/content/desktop - ???
~/content/downloads - ROLE_untrusted_content_t
~/content/media - ROLE_media_content_t
~/content/documents - ROLE_documents_content_t
~/content/mail - ROLE_mail_content_t
~/content/export_web - ROLE_httpd_user_content_t
~/content/export_samba - ROLE_samba_share_t
~/content/export_p2p - ROLE_p2p_share_t

I am thinking of short lowercase names in the directory hierarchy,
which will have more descriptive Windows-style names in GNOME,

Or you could give the folders descriptive human-style names to begin
with (like ~/Messages, ~/Music, ~/Documents, and so on), to avoid the
leaky abstraction. (For example, we don't want someone who backs up
their home folder on a USB device, then opens the device on a non-Gnome machine, to say "Argh! Where did my Music folder go?".)

The way SElinux would work is - individual gnome applications
will get their own security policy. Currently most of them run within
the same user_t context that has extensive privileges. The
application's policy would restrict it from reading/writing elsewhere.

That would make the filesystem a lot less useful. What if I'm a
film-maker wanting to put video files, soundtrack music files and a
budget spreadsheet all in "~/Work/The Cassidy Kid Returns/"? What if I'm
a parent wanting to put photos, video, and a genealogy database in
"~/Family Album/"? What if I'm a businessperson wanting to put word
processing documents and a slideshow in "~/Tuesday presentation/"? And
so on.

I think we can still allow this while achieving the kind of security you
want. Back to the original problem:
Currently applications such as sound-juicer, abiword, gnumeric, etc..
require full read/write access to the user's /home directory.
This is bad for security, because the /home directory contains
all kinds of important settings for applications, mixed-content
documents, and things downloaded from the Internet, which may contain
hostile content.

So the problem is separating:
1.  program settings
3.  everything else.

Perhaps this could be achieved more simply with a "Settings" folder and
a "Downloads" folder.

The Settings folder could work like this: Programs would be allowed to
read from anywhere in ~/Settings (to access settings shared between
programs, or to import settings from competing programs), and allowed to
write to their own subfolder of ~/Settings, but not allowed to write to
the ~/Settings subfolders belonging to other programs.

(Nautilus -- or a program Nautilus delegated to -- could present the
~/Settings folder by default as an integrated control panel for Gnome
settings and application-specific settings. Double-clicking an
application's subfolder would ideally launch that application with a
command to show its preferences window and nothing else. If accessing
this folder on a non-Gnome system you wouldn't see the control panel, of
course, but it wouldn't be too scary: you'd see a bunch of subfolders
with understandable names, and ideally the items inside those subfolders
would have understandable names too.)

I think that would prevent programs from stomping on each other's settings, while still allowing people to arrange their documents and other files in folders however they liked.

It was suggested on NSA-list that relabeling could also occur
automatically, upon opening a file, after filtering through
a virus scanner. For example, you would download a movie file from the
Internet. This file could contain hostile content, and would go under
~/content/downloads marked untrusted_content_t. Then when the user
clicks on it in nautilus, the mime type would determine a proper
target context to relabel to, and the user would be asked: "You are
about to relabel potentially hostile content? Are you sure you want to
do this: Yes | No | Scan w/ virus scanner, checkbox: do not ask again,
checkbox: scan all files of this type". This could also be triggered
by copying a file in nautilus".

Aunt Tillie says: "'Relabel'? 'Hostile'? 'Content'? ... What is it
talking about, dear?" Confirmation alerts are not the best way of
providing security anyway, because people tend not to read them.

Instead, the Downloads folder could work like this: Nautilus wouldn't
let you open a file directly from the folder, but the folder window
would have a panel along the top saying "To open a file you trust, move
it out of this folder first." (This is comparable to the Trash in Mac OS
and the Recycle Bin in Windows: if you want to open a file in either of
those, you have to take it out first.) This would make elevating a
file's trustedness a deliberate action, without using an alert. If you
had a virus scanner installed, it would automatically be called on to
scan a file whenever it was moved or copied out of ~/Downloads.

(Nautilus -- or a program Nautilus delegated to -- could even present
the ~/Downloads folder window as a universal download manager. Browsers,
IM clients, and so on would still be responsible for doing the actual
downloading into the folder, but the folder window would provide a
unified interface for stopping and showing status of downloads. An API
would need to be invented for retrying/resuming and communicating
expected final file size, though.)

Matthew Thomas

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]