[Qt-qml] QML and sandbboxing

Marco Martin notmart at gmail.com
Wed Jul 13 15:29:00 CEST 2011 

Hi all,
by using QML, there is a thing that strikes me: it makes really easy
to do little snippets of code that can be installed any time, maybe
even distributed from the network. It's really easy to distribute
things such as

a) minimal apps wrote in qml only, loaded by an unique trusted
application that is merely a "shell" for it. MeeGo tablet does it for
its default applications, in KDE we are doing it for desktop widgets
of the Plasma workspace

b) plugins/addons for c++ applications, in this case too one would
like some kind of sandboxing to not let an extension doing dangerous
things.

but as far i understood, there is no way to have any protection.
well, there is regarding network access, because i can change the
networkaccessmanager from c++, so even providing one that forbids any
remote urls, if i want.

however there is nothing for local files: i can always open absolute
paths in elements such as Image and Loader and "import" any plugin
installed system wide, plugin that could be written in c++ and being
potentially very dangerous (is true that apps shouldn't install c++
plugins by themselves and not potentially dangerous things anyways,
but what should happen and what will happen are two really different
concepts ;))

this makes actually impossible for any application that wants to load
any kind of extensions written in qml to have any kind of sandboxing,
not good at all for security.

a solution, that sounds simple in practiche (not sure how
implementable) is something similar to the pluggable
networkaccessmanager. being able to tap resolution of path names and
eventually change or forbid some. anything about a security model
would have then to be implemented by subclasses.
of course won't be possible to avoid passing absolute paths to custom
c++ plugins, but would be possible to do some checks when the import
statement is performed (so not loading potentially troublesome c++
plugins) and in the stock base components.

how feasible seems that?
and is anything about sandboxing planned at all? (maybe for qml2?)

Cheers,
Marco Martin

More information about the Qt-qml mailing list