KDE and global themes

[curiosityseeker]

A couple of weeks ago a discussion about a Global Theme for KDE that contained a rm -Rf command which could delete all your user data caused an excited discussion.

Here are some links:
https://old.reddit.com/r/kde/comments/1bixmbx/do_not_install_global_themes_some_wipe_out_all/

https://discuss.kde.org/t/warning-global-themes-and-widgets-created-by-3rd-party-developers-for-plasma-can-and-will-run-arbitrary-code-you-are-encouraged-to-exercise-extreme-caution-when-using-these-products/12714

https://blog.davidedmundson.co.uk/blog/kde-store-content/

https://old.reddit.com/r/openSUSE/comments/1biunsl/hacked_installed_a_global_theme_it_erased_all_my/

I believe that those themes are installed via systemsettings which is confined by the respective profile. And it seems that KDE is planning to do something against malicious themes/widgets/whatever. But the question remains if the confinement by the systemsettings profile is enough to protect against this threat.

Some people commenting in above threads say that Gnome wouldn't be immune against this threat, either.

So could we protect better against this perils in apparmor.d?

[roddhjav]

But the question remains if the confinement by the systemsettings profile is enough to protect against this threat.

The current systemsettings profile should be enough. I would still need to test global theme a bit more to ensure the architecture of the profile is optimal. Ideally we should try to separate as much as we can (thanks to another profile) the system settings program to the theme install scripts.

Some people commenting in above threads say that Gnome wouldn't be immune against this threat, either.

On gnome, the problem resides in the extension system. As extension can (even legitimately) do a lot of things. The problem, is that most extension run in the main gnome-shell profile, therefore they have as much access as the gnome-shell itself (witch does not include user data).

Ultimately for both Gnome and KDE, it is their job to define a confinement/sandboxing. With the current construction of both system (unsecure app running in the same process than more trusted one), there is only a few thing we can do only on apparmor.d side.