Can Subuser have Android Marshmallow style permissions #283
Comments
|
Permissions files are a good thing and are here to stay. They create a clear and auditable list of what permissions are granted. They lets you see in one place, everything that can go wrong/be taken advantage of. However, I do understand that on-demand permissions could have some security benefits. For example, a video calling program doesn't need access to the webcam unless a video call is taking place, but in order to gain those benefits, there needs to be a way to take away web-cam access at the end of the call. This would be possible, but it would require some extra interface, perhaps an icon in the system tray, or at the bottom of the windows of the program which was granted the permission. Does android have such an interface, for revoking temporary permissions? Unfortunately, such an on-demand permission scenario is not at all easy to implement with pre-existing programs like Skype or even the open source Cheese. Right now, with subuser, you don't have to modify programs to run them. Linux programs currently don't request access to things like the webcam, they just use them, if they are available. So this isn't easy to implement without subuser adding some API that would be used only by special "subuser programs". I don't want to force application authors to change their implementation details just for subuser. At least not yet, when subuser is not a popular solution. One more thing: There will never be a "do not ask again" check box. This would be a security flaw in my mind, because the user typically checks such a box, not out of desire to grant a permission perminantly, but out of annoyance at having be asked so many times. I might, however, add an "edit permissions" button. In the future, if this type of feature gets added, each of the permissions that could be asked for would have three settings: Deny, Ask, and Grant. This way, programs that have no business asking for permissions cannot do so. Imagine that you have an irssi subuser which is able, based on analysis of network activity, determine when Skype is receiving a phone call. It then requests a webcam permission, and you see a dialog: The user may click Allow, not realizing that it is irssi and not Skype that is asking. Another problem with allowing programs to ask for permissions without those permissions being explicitly listed is auditablility. As I already stated, I want the permissions list to be a complete list of everything that can possibly go wrong from a security standpoint. Finally, allowing programs to ask actually exposes an API, and all API surface area is a risk to security. I would therefore never let a program even ask unless it was given permisison to do so. |
|
I think we should have it so if the permission is listed as ask (like in a video call app) then it shows a prompt. If the permission is allowed then it allows (as usual). If it is denied then it denies the permission. If it is not listed then it asks |
|
@timthelion I know a bit of Python so I would like to know the location of the code where it blocks the permission (which file).Then maybe I can submit a pull request |
|
Permissions aren't blocked but granted. Take a look at the two files On 04/11/16 12:02, Suici Doga wrote:
|
|
@timthelion I looked at the runtime file and I found a lot of methods. Which one does the granting |
|
They all do, pretty much. Permissions are granted by passing arguments Tim On 04/12/16 04:10, Suici Doga wrote:
|
|
@timthelion So do I edit only |
|
What are you trying to do? |
|
@timthelion Edit it so I can show a message box.You say that other methods are used too before.Is |
|
Permissions are granted when the subuser is started. So that message box On 04/12/16 14:43, Suici Doga wrote:
|
|
@timthelion So I think this would be a problem |
|
Unfortunately, so long as we use Docker, which doesn't allow for changing container permissions after launch, this isn't possible. Once the move to runc takes place many previously impossible things become possible. |
|
@timthelion I think I should open a issue on Docker's GitHub |
|
@SuicSoft there have been many issues about this open(or closed) for years:
The list goes on... |
|
@timthelion The comments say the API supports it |
|
I believe that you are refering to "only through the API, as you can pass bind-mounts and volumes-from on start." But this doesn't allow for modifying RUNNING containers, it only allows for modifying "containers". |
|
You're making a joke about beurocracy, right? ;) |
|
@timthelion So running containers can't be modified .The problem with subuser it needs docker |
|
@SuicSoft yes, in the future, subuser will not use Docker and things will move along more quickly, be better, and break less often. |
|
@timthelion When will this happen |
|
The 0.5 line uses Docker, the 0.6 line will use runc. However, there are On 04/17/16 03:44, Suici Doga wrote:
|
In Android Marshmallow a prompt is shown like
So could Subuser also have something like this which shows a similar prompt (Which should use the GTK theme) instead of having a permissions file (or we could have both)
The text was updated successfully, but these errors were encountered: