mirror of
https://github.com/flatpak/flatpak.git
synced 2026-01-26 06:07:56 +00:00
2ae9cfd950
Currently, app installs and updates are treated the same from the point of view of the parental controls permissions checks. This was intended so that parents have to re-check each app update to make sure it’s still appropriate for their children. In practice, though, parents are not that hands-on, and there are a lot of regular app updates. The tradeoff between app updates (which bring security fixes and features) and not changing so much in apps that a parent’s initial assessment of their suitability for their child is probably skewed the wrong way. We should be preferring updates (in particular, so we get security updates), and assuming that if an app is OK to begin with, it’s probably not going to change so radically as to become unsuitable for a child with an update. As a data point, Google Play’s parental controls will allow apps to be automatically updated even if a child account can’t install new apps. So, implement this by splitting the existing `org.freedesktop.Flatpak.override-parental-controls` polkit action in two: the existing action for _installs_, and a new `org.freedesktop.Flatpak.override-parental-controls-update` action for _updates_. `FlatpakDir` is changed to use the appropriate action depending on whether an app is being installed from scratch or updated. The default policies for the two actions differ. Users/Distros who disagree with the new default policy can provide their own polkit rules to change the behaviour of `override-parental-controls-update` so that it matches `override-parental-controls`, to bring back the old behaviour. Signed-off-by: Philip Withnall <pwithnall@gnome.org> Fixes: https://github.com/flatpak/flatpak/issues/5552
325 lines
14 KiB
XML
325 lines
14 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
||
<!DOCTYPE policyconfig PUBLIC
|
||
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
|
||
"http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
|
||
<policyconfig>
|
||
|
||
<!--
|
||
Policy definitions for Flatpak system actions.
|
||
Copyright (c) 2016 Alexander Larsson <alexl@redhat.com>
|
||
-->
|
||
|
||
<vendor>The Flatpak Project</vendor>
|
||
<vendor_url>https://github.com/flatpak/flatpak</vendor_url>
|
||
<icon_name>package-x-generic</icon_name>
|
||
|
||
<action id="org.freedesktop.Flatpak.app-install">
|
||
<!-- SECURITY:
|
||
- Normal users need admin authentication to install software
|
||
system-wide.
|
||
- Note that we install polkit rules that allow local users
|
||
in the wheel group to install without authenticating.
|
||
-->
|
||
<description>Install signed application</description>
|
||
<message>Authentication is required to install software</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>auth_admin_keep</allow_active>
|
||
</defaults>
|
||
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.Flatpak.app-update org.freedesktop.Flatpak.runtime-install org.freedesktop.Flatpak.runtime-update</annotate>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.runtime-install">
|
||
<!-- SECURITY:
|
||
- Normal users need admin authentication to install software
|
||
system-wide.
|
||
- Note that we install polkit rules that allow local users
|
||
in the wheel group to install without authenticating.
|
||
-->
|
||
<description>Install signed runtime</description>
|
||
<message>Authentication is required to install software</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>auth_admin_keep</allow_active>
|
||
</defaults>
|
||
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.Flatpak.runtime-update</annotate>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.app-update">
|
||
<!-- SECURITY:
|
||
- Normal users do not require admin authentication to update an
|
||
app as the commit will be signed, and the action is required
|
||
to update the system when unattended.
|
||
- Changing this to anything other than 'yes' will break unattended
|
||
updates.
|
||
-->
|
||
<description>Update signed application</description>
|
||
<message>Authentication is required to update software</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>yes</allow_active>
|
||
</defaults>
|
||
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.Flatpak.runtime-install org.freedesktop.Flatpak.runtime-update</annotate>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.runtime-update">
|
||
<!-- SECURITY:
|
||
- Normal users do not require admin authentication to update a
|
||
runtime as the commit will be signed, and the action is required
|
||
to update the system when unattended.
|
||
- Changing this to anything other than 'yes' will break unattended
|
||
updates.
|
||
-->
|
||
<description>Update signed runtime</description>
|
||
<message>Authentication is required to update software</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>yes</allow_active>
|
||
</defaults>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.update-remote">
|
||
<!-- SECURITY:
|
||
- Normal users do not need authentication to update metadata
|
||
from signed repositories.
|
||
-->
|
||
<description>Update remote metadata</description>
|
||
<message>Authentication is required to update remote info</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>yes</allow_active>
|
||
</defaults>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.modify-repo">
|
||
<!-- SECURITY:
|
||
- Normal users do not need authentication to modify the
|
||
OSTree repository
|
||
- Note that we install polkit rules that allow local users
|
||
in the wheel group to modify repos without authenticating.
|
||
-->
|
||
<description>Update system repository</description>
|
||
<message>Authentication is required to modify a system repository</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>yes</allow_active>
|
||
</defaults>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.install-bundle">
|
||
<!-- SECURITY:
|
||
- Normal users need admin authentication to install software
|
||
system-wide.
|
||
-->
|
||
<description>Install bundle</description>
|
||
<message>Authentication is required to install software from $(path)</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>auth_admin_keep</allow_active>
|
||
</defaults>
|
||
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.Flatpak.runtime-install org.freedesktop.Flatpak.runtime-update</annotate>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.runtime-uninstall">
|
||
<!-- SECURITY:
|
||
- Normal users need admin authentication to uninstall software
|
||
system-wide.
|
||
- Note that we install polkit rules that allow local users
|
||
in the wheel group to uninstall without authenticating.
|
||
-->
|
||
<description>Uninstall runtime</description>
|
||
<message>Authentication is required to uninstall software</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>auth_admin_keep</allow_active>
|
||
</defaults>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.app-uninstall">
|
||
<!-- SECURITY:
|
||
- Normal users need admin authentication to uninstall software
|
||
system-wide.
|
||
- Note that we install polkit rules that allow local users
|
||
in the wheel group to uninstall without authenticating.
|
||
-->
|
||
<description>Uninstall app</description>
|
||
<message>Authentication is required to uninstall $(ref)</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>auth_admin_keep</allow_active>
|
||
</defaults>
|
||
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.Flatpak.runtime-uninstall</annotate>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.configure-remote">
|
||
<!-- SECURITY:
|
||
- Normal users need admin authentication to configure system-wide
|
||
software repositories.
|
||
-->
|
||
<description>Configure Remote</description>
|
||
<message>Authentication is required to configure software repositories</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>auth_admin_keep</allow_active>
|
||
</defaults>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.configure">
|
||
<!-- SECURITY:
|
||
- Normal users need admin authentication to configure the system-wide
|
||
Flatpak installation.
|
||
-->
|
||
<description>Configure</description>
|
||
<message>Authentication is required to configure software installation</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>auth_admin_keep</allow_active>
|
||
</defaults>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.appstream-update">
|
||
<!-- SECURITY:
|
||
- Normal users do not require admin authentication to update
|
||
appstream data as it will be signed, and the action is required
|
||
to update the system when unattended.
|
||
- Changing this to anything other than 'yes' will break unattended
|
||
updates.
|
||
-->
|
||
<description>Update appstream</description>
|
||
<message>Authentication is required to update information about software</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>yes</allow_active>
|
||
</defaults>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.metadata-update">
|
||
<!-- SECURITY:
|
||
- Normal users do not require admin authentication to update
|
||
metadata as it will be signed, and the action is required
|
||
to update the system when unattended.
|
||
- Changing this to anything other than 'yes' will break unattended
|
||
updates.
|
||
-->
|
||
<description>Update metadata</description>
|
||
<message>Authentication is required to update metadata</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>yes</allow_active>
|
||
</defaults>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.override-parental-controls">
|
||
<!-- SECURITY:
|
||
- Authorisation to actually install software is controlled by
|
||
org.freedesktop.Flatpak.app-install.
|
||
- This action is checked after app-install, as it can only be done
|
||
once the app’s data (including its content rating) has been
|
||
downloaded.
|
||
- This action is checked to see if the installation should be allowed
|
||
based on whether the app being installed has content which doesn’t
|
||
comply with the user’s parental controls policy (the content is
|
||
‘too extreme’).
|
||
- It is checked only if an app has too extreme content for the user
|
||
who is trying to install it (in which case, the app is ‘unsafe’).
|
||
- Typically, normal users will need admin permission to install apps
|
||
with extreme content; admins will be able to install it without
|
||
additional checks.
|
||
- In order to configure the policy so that admins can install safe and
|
||
unsafe software anywhere without authorisation, and non-admins can
|
||
install safe software in their user or system dirs without
|
||
authorisation, but need authorisation to install unsafe software
|
||
anywhere:
|
||
* Unconditionally return `yes` from `app-install`.
|
||
* Return `auth_admin` from `override-parental-controls` for users
|
||
not in `@privileged_group@`, and `yes` for users in it.
|
||
* Set the malcontent `is-{user,system}-installation-allowed`
|
||
properties of all non-admins’ parental controls policies to true.
|
||
- In order to configure the policy so that admins can install safe and
|
||
unsafe software anywhere without authorisation, and non-admins can
|
||
install safe software in their user dir without authorisation, but
|
||
need authorisation to install safe software in the system dir or to
|
||
install unsafe software anywhere:
|
||
* Unconditionally return `yes` from `app-install`.
|
||
* Return `auth_admin` from `override-parental-controls` for users
|
||
not in `@privileged_group@`, and `yes` for users in it.
|
||
* Set the malcontent `is-user-installation-allowed` property of all
|
||
non-admins’ parental controls policies to true.
|
||
* Set the malcontent `is-system-installation-allowed` property of
|
||
all non-admins’ parental controls policies to false.
|
||
- In order to configure the policy so that all users (including
|
||
admins) can install safe software anywhere without authorisation,
|
||
but need authorisation to install unsafe software anywhere (i.e.
|
||
applying parental controls to admins too):
|
||
* Unconditionally return `yes` from `app-install`.
|
||
* Unconditionally return `auth_admin` from `override-parental-controls`.
|
||
* Set the malcontent `is-user-installation-allowed` property of all
|
||
users’ parental controls policies to true.
|
||
* Set the malcontent `is-system-installation-allowed` property of
|
||
all users’ parental controls policies to true.
|
||
-->
|
||
<description>Override parental controls for installs</description>
|
||
<message>Authentication is required to install software which is restricted by your parental controls policy</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>auth_admin</allow_active>
|
||
</defaults>
|
||
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.Flatpak.override-parental-controls-update</annotate>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.override-parental-controls-update">
|
||
<!-- SECURITY:
|
||
- This is like org.freedesktop.Flatpak.override-parental-controls, but
|
||
it’s queried for app updates, whereas the former is queried for app
|
||
installs.
|
||
- As with the above action, this one is only queried if
|
||
org.freedesktop.Flatpak.app-update has allowed the app update, and
|
||
only if the app being updated has too extreme content for the user
|
||
who is trying to update it.
|
||
- The default policy for this is to *allow* updates to ‘too extreme’
|
||
apps by default, on the basis that having an out-of-date (i.e.
|
||
insecure or unsupported) app is a worse outcome than automatically
|
||
installing an update which has radically different content from the
|
||
version of the app which the parent originally vetted and installed.
|
||
-->
|
||
<description>Override parental controls for updates</description>
|
||
<message>Authentication is required to update software which is restricted by your parental controls policy</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>yes</allow_active>
|
||
</defaults>
|
||
</action>
|
||
|
||
</policyconfig>
|
||
|