mirror of
https://github.com/flatpak/flatpak.git
synced 2026-01-26 14:13:26 +00:00
9758968cc4
Use the user’s OARS filter to prevent installation or upgrade of
apps which have more extreme content than the user is allowed to see.
This uses libmalcontent to load the user’s enforced OARS filter, which
describes the extremeness of each type of content the user is allowed to
see. If an app they are trying to install exceeds the filter value in
any OARS section, installation is disallowed and an error is returned.
libmalcontent stores the parental controls policy per-user in
accountsservice, which enforces access control on the policies.
The app filter is also allowed to prevent app installation entirely,
which overrides the OARS values. This is independent from the app-install
polkit action, which determines whether an unprivileged user may install
an app system-wide. Being stored in accountsservice, the new boolean is
also easier to set per-user without having to programmatically write a
polkit JS policy file which handles multiple users (and parse it back
again).
The parental controls checks are done at deploy time, either in the
`flatpak` process (for user repositories) or in the
`flatpak-system-helper` (for system repositories). The checks use
content rating data extracted from the app’s AppData XML and stored in
the `FlatpakDeploy` cache. The checks are passed through polkit (even
for user repositories) so that users can get an admin override to
install apps which would otherwise be too extreme. This uses the new
`org.freedesktop.Flatpak.parental-controls` polkit rule.
The checks have to be done at deploy time, as that’s when the AppData
XML for the app is parsed. The downside of this arrangement is that an
app must be entirely downloaded before the parental checks can be done.
This won’t be much of an issue on normal desktops, however, since we can
assume that gnome-software will check an app’s appropriateness before
showing it to the user in the first place.
Parental controls are not enforced for non-apps/runtimes, which includes
the ostree-metadata and appstream/* refs.
One thorny issue is that flatpak unit tests may be run in an environment
with no system D-Bus available to connect to (a Jenkins instance, for
example), which means the call to `mct_manager_get_app_filter()` in
`flatpak_dir_check_parental_controls()` fails.
So this commit skips the parental controls check if the system bus is
unavailable and the environment variable
`FLATPAK_SYSTEM_HELPER_ON_SESSION` is set, since the testlibrary already
sets that variable so that the system-helper will be started on the
session bus.
The feature can be tested using something like:
```
$ malcontent-client set philip \
violence-realistic=none app/org.freedesktop.Bustle/x86_64/stable
App filter for user 1000 set
$ flatpak run org.freedesktop.Bustle
error: Running app/org.freedesktop.Bustle/x86_64/stable is not allowed by the policy set by your administrator
$ flatpak --user install flathub io.github.FreeDM
error: Failed to install io.github.FreeDM: Installing app/io.github.FreeDM/x86_64/stable is not allowed by the policy set by your administrator
```
Includes work by André Magalhães and Umang Jain.
Signed-off-by: Philip Withnall <withnall@endlessm.com>
297 lines
13 KiB
XML
297 lines
13 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
||
<!DOCTYPE policyconfig PUBLIC
|
||
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
|
||
"http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
|
||
<policyconfig>
|
||
|
||
<!--
|
||
Policy definitions for Flatpak system actions.
|
||
Copyright (c) 2016 Alexander Larsson <alexl@redhat.com>
|
||
-->
|
||
|
||
<vendor>The Flatpak Project</vendor>
|
||
<vendor_url>https://github.com/flatpak/flatpak</vendor_url>
|
||
<icon_name>package-x-generic</icon_name>
|
||
|
||
<action id="org.freedesktop.Flatpak.app-install">
|
||
<!-- SECURITY:
|
||
- Normal users need admin authentication to install software
|
||
system-wide.
|
||
- Note that we install polkit rules that allow local users
|
||
in the wheel group to install without authenticating.
|
||
-->
|
||
<description>Install signed application</description>
|
||
<message>Authentication is required to install software</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>auth_admin_keep</allow_active>
|
||
</defaults>
|
||
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.Flatpak.app-update org.freedesktop.Flatpak.runtime-install org.freedesktop.Flatpak.runtime-update</annotate>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.runtime-install">
|
||
<!-- SECURITY:
|
||
- Normal users need admin authentication to install software
|
||
system-wide.
|
||
- Note that we install polkit rules that allow local users
|
||
in the wheel group to install without authenticating.
|
||
-->
|
||
<description>Install signed runtime</description>
|
||
<message>Authentication is required to install software</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>auth_admin_keep</allow_active>
|
||
</defaults>
|
||
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.Flatpak.runtime-update</annotate>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.app-update">
|
||
<!-- SECURITY:
|
||
- Normal users do not require admin authentication to update an
|
||
app as the commit will be signed, and the action is required
|
||
to update the system when unattended.
|
||
- Changing this to anything other than 'yes' will break unattended
|
||
updates.
|
||
-->
|
||
<description>Update signed application</description>
|
||
<message>Authentication is required to update software</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>yes</allow_active>
|
||
</defaults>
|
||
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.Flatpak.runtime-install org.freedesktop.Flatpak.runtime-update</annotate>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.runtime-update">
|
||
<!-- SECURITY:
|
||
- Normal users do not require admin authentication to update a
|
||
runtime as the commit will be signed, and the action is required
|
||
to update the system when unattended.
|
||
- Changing this to anything other than 'yes' will break unattended
|
||
updates.
|
||
-->
|
||
<description>Update signed runtime</description>
|
||
<message>Authentication is required to update software</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>yes</allow_active>
|
||
</defaults>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.update-remote">
|
||
<!-- SECURITY:
|
||
- Normal users do not need authentication to update metadata
|
||
from signed repositories.
|
||
-->
|
||
<description>Update remote metadata</description>
|
||
<message>Authentication is required to update remote info</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>yes</allow_active>
|
||
</defaults>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.modify-repo">
|
||
<!-- SECURITY:
|
||
- Normal users do not need authentication to modify the
|
||
OSTree repository
|
||
- Note that we install polkit rules that allow local users
|
||
in the wheel group to modify repos without authenticating.
|
||
-->
|
||
<description>Update system repository</description>
|
||
<message>Authentication is required to modify a system repository</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>yes</allow_active>
|
||
</defaults>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.install-bundle">
|
||
<!-- SECURITY:
|
||
- Normal users need admin authentication to install software
|
||
system-wide.
|
||
-->
|
||
<description>Install bundle</description>
|
||
<message>Authentication is required to install software from $(path)</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>auth_admin_keep</allow_active>
|
||
</defaults>
|
||
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.Flatpak.runtime-install org.freedesktop.Flatpak.runtime-update</annotate>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.runtime-uninstall">
|
||
<!-- SECURITY:
|
||
- Normal users need admin authentication to uninstall software
|
||
system-wide.
|
||
- Note that we install polkit rules that allow local users
|
||
in the wheel group to uninstall without authenticating.
|
||
-->
|
||
<description>Uninstall runtime</description>
|
||
<message>Authentication is required to uninstall software</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>auth_admin_keep</allow_active>
|
||
</defaults>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.app-uninstall">
|
||
<!-- SECURITY:
|
||
- Normal users need admin authentication to uninstall software
|
||
system-wide.
|
||
- Note that we install polkit rules that allow local users
|
||
in the wheel group to uninstall without authenticating.
|
||
-->
|
||
<description>Uninstall app</description>
|
||
<message>Authentication is required to uninstall $(ref)</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>auth_admin_keep</allow_active>
|
||
</defaults>
|
||
<annotate key="org.freedesktop.policykit.imply">org.freedesktop.Flatpak.runtime-uninstall</annotate>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.configure-remote">
|
||
<!-- SECURITY:
|
||
- Normal users need admin authentication to configure system-wide
|
||
software repositories.
|
||
-->
|
||
<description>Configure Remote</description>
|
||
<message>Authentication is required to configure software repositories</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>auth_admin_keep</allow_active>
|
||
</defaults>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.configure">
|
||
<!-- SECURITY:
|
||
- Normal users need admin authentication to configure the system-wide
|
||
Flatpak installation.
|
||
-->
|
||
<description>Configure</description>
|
||
<message>Authentication is required to configure software installation</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>auth_admin_keep</allow_active>
|
||
</defaults>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.appstream-update">
|
||
<!-- SECURITY:
|
||
- Normal users do not require admin authentication to update
|
||
appstream data as it will be signed, and the action is required
|
||
to update the system when unattended.
|
||
- Changing this to anything other than 'yes' will break unattended
|
||
updates.
|
||
-->
|
||
<description>Update appstream</description>
|
||
<message>Authentication is required to update information about software</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>yes</allow_active>
|
||
</defaults>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.metadata-update">
|
||
<!-- SECURITY:
|
||
- Normal users do not require admin authentication to update
|
||
metadata as it will be signed, and the action is required
|
||
to update the system when unattended.
|
||
- Changing this to anything other than 'yes' will break unattended
|
||
updates.
|
||
-->
|
||
<description>Update metadata</description>
|
||
<message>Authentication is required to update metadata</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>yes</allow_active>
|
||
</defaults>
|
||
</action>
|
||
|
||
<action id="org.freedesktop.Flatpak.override-parental-controls">
|
||
<!-- SECURITY:
|
||
- Authorisation to actually install software is controlled by
|
||
org.freedesktop.Flatpak.app-install.
|
||
- This action is checked after app-install, as it can only be done
|
||
once the app’s data (including its content rating) has been
|
||
downloaded.
|
||
- This action is checked to see if the installation should be allowed
|
||
based on whether the app being installed has extreme content.
|
||
- It is checked only if an app has too extreme content for the user
|
||
who is trying to install it (in which case, the app is ‘unsafe’).
|
||
- Typically, normal users will need admin permission to install apps
|
||
with extreme content; admins will be able to install it without
|
||
additional checks.
|
||
- In order to configure the policy so that admins can install safe and
|
||
unsafe software anywhere without authorisation, and non-admins can
|
||
install safe software in their user or system dirs without
|
||
authorisation, but need authorisation to install unsafe software
|
||
anywhere:
|
||
* Unconditionally return `yes` from `app-install`.
|
||
* Return `auth_admin` from `override-parental-controls` for users
|
||
not in `@privileged_group@`, and `yes` for users in it.
|
||
* Set the malcontent `is-{user,system}-installation-allowed`
|
||
properties of all non-admins’ parental controls policies to true.
|
||
- In order to configure the policy so that admins can install safe and
|
||
unsafe software anywhere without authorisation, and non-admins can
|
||
install safe software in their user dir without authorisation, but
|
||
need authorisation to install safe software in the system dir or to
|
||
install unsafe software anywhere:
|
||
* Unconditionally return `yes` from `app-install`.
|
||
* Return `auth_admin` from `override-parental-controls` for users
|
||
not in `@privileged_group@`, and `yes` for users in it.
|
||
* Set the malcontent `is-user-installation-allowed` property of all
|
||
non-admins’ parental controls policies to true.
|
||
* Set the malcontent `is-system-installation-allowed` property of
|
||
all non-admins’ parental controls policies to false.
|
||
- In order to configure the policy so that all users (including
|
||
admins) can install safe software anywhere without authorisation,
|
||
but need authorisation to install unsafe software anywhere (i.e.
|
||
applying parental controls to admins too):
|
||
* Unconditionally return `yes` from `app-install`.
|
||
* Unconditionally return `auth_admin` from `override-parental-controls`.
|
||
* Set the malcontent `is-user-installation-allowed` property of all
|
||
users’ parental controls policies to true.
|
||
* Set the malcontent `is-system-installation-allowed` property of
|
||
all users’ parental controls policies to true.
|
||
-->
|
||
<description>Override parental controls</description>
|
||
<message>Authentication is required to install software which is restricted by your parental controls policy</message>
|
||
<icon_name>package-x-generic</icon_name>
|
||
<defaults>
|
||
<allow_any>auth_admin</allow_any>
|
||
<allow_inactive>auth_admin</allow_inactive>
|
||
<allow_active>auth_admin</allow_active>
|
||
</defaults>
|
||
</action>
|
||
|
||
</policyconfig>
|
||
|