Sandbox plasmoids by default to prevent themes from deleting home directory or other sensitive data

Hello, I’m new here. I come here after recently switching a good amount of non-technical users from gnome to KDE after the very impressive plasma6 release.

I was surprised and felt betrayed to find out that installing a theme that depends on a plasmoid with rm -rf $HOME could delete your home directory. I found it on the bleeping computer article and reddit, but since I’m a new account I can’t link directly to it for now.

tl;dr Require kde plasmoid writers to whitelist directories users will have to approve, run all plasmoids through firejail using that whitelist.

My idea is for:

  • KDE plasmoids to provide a whitelist of folders and files they wish to have access to
  • Those plasmoids to be run with firejail --private and a whitelist $FILE_PATH of each file path the plasmoid lists as necessary to run it

Then the UI/UX for the user would be:

  1. Install theme foo, with dependency bar
  2. When it installs bar, user is prompted to accept that bar wants access to all of /home/bob, warned that all files and folders under this location could be deleted and only proceed if they trust the plasmoid. Maybe an extra warning that the plasmoid is requesting a suspiciously large scope. Perhaps also a yellow exclamation point icon indicating there could be security issues with this.

Whereas if bar only requires access to ~/.config/bar, a config directory it lists as needing to create, no extra warning is given and permissions are only listed as “can read and delete files only in it’s own directory” alongside a green checkmark indicating this is a safer practice.

Note that one argument against this may be the friction in creating plasmoids. That is a valid one and I would argue that developers could start by requesting access to the users entire $HOME directory, with the trade-off being those plasmoids are marked as potential security issues. Potential security issues may be too strong, but there should be some way of indicating they are less guaranteed to be secure.

1 Like

I would add a far more controlled permission system. E.g. they need permission for writing files, reading files, …

I wouldn’t be opposed to that. Someone even mentioned to me the idea of only running plasmoids using flatpak given they already have finer-grained permissions controls.

My priority though would be a least-friction system that could be migrated to and would prevent the case that’s happened from happening again.

There are a lot of options on the table being discussed. It’s an active conversation internally. :slight_smile: