Re: [Plash] Permissions in .pkg Files

[Mark Seaborn]

Toby Murray <address@hidden> wrote:

> While waxing on .pkg files, is there a plan to allow .pkg files to
> specify static permissions to be granted to launched application
> instances?
> 
> It would appear to be useful to be able to grant coarse-grained static
> permissions such as
> - Access to network (pola-run's --net option)
> - Access to X11 (pola-run's --x11 option)
> - Access to Record Audio (read access to /dev/dsp or similar)
> - Access to Play Audio (write access to /dev/dsp or similar)
> 
> Being able to specify that Firefox should have access to the network but
> Evince should not seems useful.
> 
> Further, being able to say that Rhythmbox should be able to play audio
> but that Evince should not would also be useful.

Yes, there needs to be a way to grant these rights.

The long term aim is to have a GUI for installing an application and
granting it rights.

I have been regarding the .pkg file format as a temporary solution.
It does double duty: it stores what the application requests or
suggests (such as the application's name), and it also stores what the
user chooses.  The user chooses the application's pet name by editing
the file, but this could be done via a GUI.

We could do something similar with these coarse-grained access rights,
and have a few boolean fields in the .pkg file to record whether the
sound device, the network, etc., should be granted.

How or whether an application should be able to request these rights
is another matter.

It wouldn't be hard to add these fields, but it doesn't seem very
extensible.

One factor is that we will often want files/directories that have been
granted via the powerbox to be persistent.  Files granted to a music
player need to be persistent, for example.  The simplest
implementation for persisting file grants would store a list of
pathnames of files to grant.  This would be structurally the same as a
list of -f and -t options to pola-run.  However, that does not provide
a way to support granting unusual objects such as union directories
and copy-on-write directories.  This would probably require a
generalised system for persistent object references.


> Also, how does Plash interact with D-BUS, which seems to have become a
> mandatory service that all GNOME apps require access to these days?

Plash doesn't know about D-Bus yet.  I guess we might have to tame
access to D-Bus objects.  Do you have any D-Bus objects or services in
mind?

If an application wants access to a D-Bus bus without requiring any
particular objects from it, it is easy to launch it through
dbus-launch to give it a private bus.

Cheers,
Mark