README: Explain thumbnailing security model

Thanks to Simon McVittie for the original writeup.

1 files changed, 25 insertions, 0 deletions

diff --git a/README.md b/README.md
index 7d99d09c..b8d26fc8 100644
--- a/README.md
+++ b/README.md
@@ -32,3 +32,28 @@ Bugs should be reported to the [Issues section of gnome-desktop repository](http
 
 Please read the HACKING file for information on where to send changes or
 bugfixes for this package.
+
+Thumbnailing sandboxing
+=======================
+
+The thumbnailer sandboxing was built to prevent a number of different
+potential attack vectors.
+
+- The attacker wants to steal arbitrary secrets from your machine (a
+  confidentiality failure), or overwrite arbitrary files (an integrity
+  failure).
+- The attacker is assumed to be capable of inducing you to download a
+  crafted thumbnailable object (picture, video, ROM) that will crash a
+  thumbnailer and get arbitrary code execution.
+- Stealing your secrets is prevented by:
+  - only giving the thumbnailer access to the file it's thumbnailing,
+    plus public files from `/usr`-equivalent places, so that it can't
+    leak the content of a secret file into the thumbnail of a less-secret
+    file.
+  - not giving it internet access, so that it can't upload the file it's
+    thumbnailing to Wikileaks.
+- Overwriting arbitrary files is prevented by making the output of the
+  thumbnailer the only thing that can be written from inside the sandbox.
+- Subverting other programs to do one of those is (hopefully) prevented by only
+  allowing it to output PNG thumbnails, because we hope PNG reader libraries are
+  a lot more secure than libraries to read exotic image formats.
\ No newline at end of file