Commit 87435e7c authored by Bastien Nocera's avatar Bastien Nocera

README: Explain thumbnailing security model

Thanks to Simon McVittie for the original writeup.
parent ec6ef7dc
Pipeline #216131 passed with stage
in 6 minutes and 12 seconds
......@@ -32,3 +32,28 @@ Bugs should be reported to the [Issues section of gnome-desktop repository](http
Please read the HACKING file for information on where to send changes or
bugfixes for this package.
Thumbnailing sandboxing
=======================
The thumbnailer sandboxing was built to prevent a number of different
potential attack vectors.
- The attacker wants to steal arbitrary secrets from your machine (a
confidentiality failure), or overwrite arbitrary files (an integrity
failure).
- The attacker is assumed to be capable of inducing you to download a
crafted thumbnailable object (picture, video, ROM) that will crash a
thumbnailer and get arbitrary code execution.
- Stealing your secrets is prevented by:
- only giving the thumbnailer access to the file it's thumbnailing,
plus public files from `/usr`-equivalent places, so that it can't
leak the content of a secret file into the thumbnail of a less-secret
file.
- not giving it internet access, so that it can't upload the file it's
thumbnailing to Wikileaks.
- Overwriting arbitrary files is prevented by making the output of the
thumbnailer the only thing that can be written from inside the sandbox.
- Subverting other programs to do one of those is (hopefully) prevented by only
allowing it to output PNG thumbnails, because we hope PNG reader libraries are
a lot more secure than libraries to read exotic image formats.
\ No newline at end of file
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment