diff options
author | Bastien Nocera <hadess@hadess.net> | 2020-09-24 16:43:44 +0200 |
---|---|---|
committer | Bastien Nocera <hadess@hadess.net> | 2020-09-24 16:43:44 +0200 |
commit | 87435e7c7b06b914fbd51e2a3a6ed0d8d4acc054 (patch) | |
tree | f5ff2cbeb10a1b4571fb344d302dab9a6e484725 /README.md | |
parent | ec6ef7dce3ec342c05015541ff65629bb4fc2e3a (diff) | |
download | gnome-desktop-87435e7c7b06b914fbd51e2a3a6ed0d8d4acc054.tar.gz |
README: Explain thumbnailing security model
Thanks to Simon McVittie for the original writeup.
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 25 |
1 files changed, 25 insertions, 0 deletions
@@ -32,3 +32,28 @@ Bugs should be reported to the [Issues section of gnome-desktop repository](http Please read the HACKING file for information on where to send changes or bugfixes for this package. + +Thumbnailing sandboxing +======================= + +The thumbnailer sandboxing was built to prevent a number of different +potential attack vectors. + +- The attacker wants to steal arbitrary secrets from your machine (a + confidentiality failure), or overwrite arbitrary files (an integrity + failure). +- The attacker is assumed to be capable of inducing you to download a + crafted thumbnailable object (picture, video, ROM) that will crash a + thumbnailer and get arbitrary code execution. +- Stealing your secrets is prevented by: + - only giving the thumbnailer access to the file it's thumbnailing, + plus public files from `/usr`-equivalent places, so that it can't + leak the content of a secret file into the thumbnail of a less-secret + file. + - not giving it internet access, so that it can't upload the file it's + thumbnailing to Wikileaks. +- Overwriting arbitrary files is prevented by making the output of the + thumbnailer the only thing that can be written from inside the sandbox. +- Subverting other programs to do one of those is (hopefully) prevented by only + allowing it to output PNG thumbnails, because we hope PNG reader libraries are + a lot more secure than libraries to read exotic image formats.
\ No newline at end of file |