Current Setup: An application has to be limited by the most lax permission in order to maintain the functionality. For an application that will ever have access to the user's files this means it needs to have access to all of the users files.Comments
Possible Solution: Have the file browser/chooser application give temporary permissions for the specific chosen files/folder to the application that launched the file chooser. Care will need to be taken so that "recent files" in applications still work as expected. This may require a per application recent file list to be stored in the security system.
Example Use Cases / How it does it: Picture Viewer 1) User clicks on Picture with an active exploit in it (on the desktop) 2) Opens with default photo viewer 3) The exploit now has full control of the photo viewer, but can only access: Photo viewers recently opened photos The photo with the exploit Photo viewer config Anything else the photo viewer can access (say uploading to flickr) All other photo's in library (if configured, which in this example it is not) *) All other documents remain secure...
How it did it. (behind the scenes): the user opened 4 pictures from the file manager, the application had those 4 pictures added to it's "per application recent file permission list" thereby enabling the user to open them directly from the photo manager at any point in the future. That list was customized for the application to limit the list to the 4 most recent due to the application only having 4 option in it's "recent list". This list is used by apparmor/selinux to enable access to the pictures for the application.
Rhythmbox 1) User configures library (using directory chooser)\ - Called with options to set up a permanent user/application permission for the music folder in question - this allows rhythmbox to access all files contained within 2) User listens to internet radio and finds a malicious file 3) The malicious file deletes everything it can touch, the user loses her entire music collection, but has all documents intact.
When configuring the rhythmbox library directory, Rhythmbox used a special call to the directory chooser to ask it to switch it's permanent directory to whatever the user chooses, thereby adding the necessary rules as well.
Of course, if you can already do this with selinux/apparmor (at about the same complication level) please tell me how :)