← Back to team overview

elementary-dev-community team mailing list archive

Re: elementary's path forward for application containment and security.


Hey Cameron,

I've been thinking about app containment too and I know I feel better on iOS that apps have to ask my permission to use things like location services.

I think it would be worth looking at the solutions from both Canonical and GNOME first before we go building our own solution. 

Daniel Foré

On Tue, Mar 18, 2014 at 6:36 PM, Cameron Norman <camerontnorman@xxxxxxxxx>

> Hello all,
> I recently have taken an interest in some of the containment and 
> security features being developed for Ubuntu touch, as well as Lennart 
> Poettering's plans for containment on GNOME.
> One of the recurring aspects that I see is a "Content Hub" (Ubuntu) or 
> "application Portals" (GNOME) system. Both of these have remarkable 
> similarity (in concept) to elementary's Contractor. Although many of 
> you most likely did not foresee Contractor's role in security when it 
> was created, it undoubtedly does have one. By delegating out 
> responsibilities (such as, say, printing), Contractor allows for the 
> removal of privileges from an application. If all applications are 
> using the print contract, there is no need for those applications to 
> have the capability to use the printer.
> By extending Contractor's scope (or moving to another service) further 
> containment, as well as better features, is possible. Specifically, 
> returning data, instead of handing them off, will allow for increased 
> consolidation of privileges.
> The open and save GTK file dialogs are great example. If apps use 
> contracts to perform these functions, they do not need to be given the 
> privilege of directly reading or writing to the user's documents, 
> pictures, emails, etc.
> Another good example is retrieving a profile photo. Instead of having 
> every social media app be able to directly access the webcam, they 
> could ask Contractor for a photo, and contractor could give the webcam 
> option.
> These are the changes/additions that I think could make this possible:
>  * returning data instead of just handing it off
>  * ability to call a contract by name (e.g. "Print" or "OpenFile")
>  * passing / returning more types of data: not just files, but also 
> strings, booleans, or URLs
> Before I go into detail about how I have been thinking about exposing 
> this functionality, I would like to hear all of your thoughts about the 
> merit of these changes, and if any of you would like to develop these 
> things with me (heads up: I suck at programming :).
> Lennart Poettering's presentation of portals at GUADEC 2013, starting 
> at 35:00.
> Ubuntu Mobile's "Content Hub".
> Thank you very much for reading,
> --
> Cameron Norman 

Follow ups