elementary-dev-community team mailing list archive
Mailing list archive
Re: elementary's path forward for application containment and security.
I've been thinking about app containment too and I know I feel better on iOS that apps have to ask my permission to use things like location services.
I think it would be worth looking at the solutions from both Canonical and GNOME first before we go building our own solution.
On Tue, Mar 18, 2014 at 6:36 PM, Cameron Norman <camerontnorman@xxxxxxxxx>
> Hello all,
> I recently have taken an interest in some of the containment and
> security features being developed for Ubuntu touch, as well as Lennart
> Poettering's plans for containment on GNOME.
> One of the recurring aspects that I see is a "Content Hub" (Ubuntu) or
> "application Portals" (GNOME) system. Both of these have remarkable
> similarity (in concept) to elementary's Contractor. Although many of
> you most likely did not foresee Contractor's role in security when it
> was created, it undoubtedly does have one. By delegating out
> responsibilities (such as, say, printing), Contractor allows for the
> removal of privileges from an application. If all applications are
> using the print contract, there is no need for those applications to
> have the capability to use the printer.
> By extending Contractor's scope (or moving to another service) further
> containment, as well as better features, is possible. Specifically,
> returning data, instead of handing them off, will allow for increased
> consolidation of privileges.
> The open and save GTK file dialogs are great example. If apps use
> contracts to perform these functions, they do not need to be given the
> privilege of directly reading or writing to the user's documents,
> pictures, emails, etc.
> Another good example is retrieving a profile photo. Instead of having
> every social media app be able to directly access the webcam, they
> could ask Contractor for a photo, and contractor could give the webcam
> These are the changes/additions that I think could make this possible:
> * returning data instead of just handing it off
> * ability to call a contract by name (e.g. "Print" or "OpenFile")
> * passing / returning more types of data: not just files, but also
> strings, booleans, or URLs
> Before I go into detail about how I have been thinking about exposing
> this functionality, I would like to hear all of your thoughts about the
> merit of these changes, and if any of you would like to develop these
> things with me (heads up: I suck at programming :).
> Lennart Poettering's presentation of portals at GUADEC 2013, starting
> at 35:00.
> Ubuntu Mobile's "Content Hub".
> Thank you very much for reading,
> Cameron Norman