[MIR] malcontent

[Summary]
This needs a team bug subscriber; setting back to 'incomplete'
until it has a team bug subscriber.

The 'malcontent-gui' binary package provides a GUI, and may need
further review from a UI perspective.

This does need a security review, so I'll assign ubuntu-security
after the above are addressed.

This is still dependent on libflatpak0 MIR from LP: #1812456

Otherwise, this is an ACK from MIR team.

specific binary packages to be promoted to main:
  - gir1.2-malcontent-0
  - gir1.2-malcontentui-0
  - libmalcontent-0-0
  - libmalcontent-ui-0-0
  - libpam-malcontent
  - malcontent
  - malcontent-gui

Notes:
Required TODOs:
- some team (probably foundations) must subscribe to package bugs
- malcontent-gui package needs further review as part of UI
- needs security team review
- this does also depend on libflatpack0 MIR from LP: #1812456

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- other dependencies to MIR due to this:
  libflatpak0 is in universe, but also in progress via LP: #1812456

Problems:
- -dev packages that need exclusion:
  libmalcontent-0-dev
  libmalcontent-ui-0-dev

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking

[Security]
OK:
- history of CVEs does not look concerning
- does not run a daemon as root
- does not use webkit1,2
- does not use lib*v8 directly
- does not open a port
- does not process arbitrary web content
- does not use centralized online accounts
- does not integrate arbitrary javascript into the desktop

Problems:
- does deal with system authentication (pam)
- does parse data formats

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- translation present
- not a python/go package

Problems:
- does not have a test suite that runs as autopkgtest
- The package does not have a team bug subscriber

[Packaging red flags]
OK:
- Ubuntu does not carry a delta
- symbols tracking is in place
- d/watch is present and looks ok
- Upstream update history is good
- Debian/Ubuntu update history is good but short, pkg was added recently
- promoting this does not seem to cause issues for MOTUs
- no massive Lintian warnings
- d/rules is rather clean
- Does not have Built-Using
- not go Package

Problems:
- the current release is packaged
  the latest upstream release is 0.9.0 while Debian/Ubuntu have 0.8.0
  however, 0.9.0 is from only 2 weeks ago

[Upstream red flags]
OK:
- no Errors/warnings during the build (except minor annotation warnings)
- no incautious use of malloc/sprintf (as far as I can check it)
- no use of sudo, gksu, pkexec, or LD_LIBRARY_PATH
- no use of user nobody
- no use of setuid
- no important open bugs (crashers, etc) in Debian or Ubuntu
- no dependency on webkit, qtwebkit, seed or libgoa-*

Problems:
- 'malcontent-gui' package is part of the UI, needs extra checks

> The 'malcontent-gui' binary package provides a GUI, and may need
> further review from a UI perspective.

to follow up; this does appear to meet the MIR UI standards of 1) being intl'ed, and 2) providing a desktop file, so this item is ok from MIR perspective.

Remaining items are:

This needs a team bug subscriber
This does need a security review
This is still dependent on libflatpak0 MIR from LP: #1812456

I subscribed the desktop team to the bugs.

I'm assigning the security team now per comment #2 (thanks for the review).

Also gnome-shell has a dynamic runtime dependency on malcontent, so in order to enable this on ubuntu we should have it in main

I reviewed malcontent 0.10.0-2 as checked into impish. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.

malcontent provides a library and application to manage "parental" restrictions for users. It allows to define restrictions on what applications should be presented to the user to be able to be launched, as well as what kinds of applications (as defined by their OARS rating) are allowed to be installed by the user via gnome-software or similar. Currently this is limited to flatpak application IDs so if this was intended to support snaps Ubuntu would have to patch malcontent (as well as potentially gnome-shell and gnome-software/snap-store etc) to support snaps.

It does not perform any enforcement itself, instead it provides a means for configuring the policy via a GUI and an library which would then be used by gnome-shell / gnome-software etc and these applications would then do the actual enforcement by filtering their results accordingly.

malcontent also includes a PAM plugin to check session time limits and only allow a user to log in if they have not exceeded their allocated time.

By design, malcontent states that it is not a security boundary as it's restrictions can potentially be circumvented by simply using applications to launch/install software that do not integrate with the malcontent system. As such, installing or launching applications via the command-line directly would appear to circumvent the malcontent restrictions. As such I do not feel malcontent requires a full security audit as part of the MIR process, however the following is provided as a high-level summary nonetheless.

- No CVE History
- Interesting Build-Depends:
  - policykit-1
- pre/post inst/rm scripts
  - libpam-malcontent:
    - postinst script registers the pam plugin
    - prerm script removes the pam plugin
  - malcontent
    - postinst script restarts the accounts-daemon service
    - postrm scripts restarts the accounts-daemon service
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- binaries in PATH:
  - malcontent:
    - -rwxr-xr-x root/root 23077 2020-12-10 03:23 ./usr/bin/malcontent-client
  - malcontent-gui:
    - -rwxr-xr-x root/root 63792 2021-02-10 00:41 ./usr/bin/malcontent-control
- No sudo fragments
- polkit files
  - malcontent:
    -rw-r--r-- root/root 39834 2021-02-10 00:41 ./usr/share/polkit-1/actions/com.endlessm.ParentalControls.policy
    -rw-r--r-- root/root 1517 2021-02-10 00:41
./usr/share/polkit-1/rules.d/com.endlessm.ParentalControls.rules
    -rw-r--r-- root/root 393 2021-02-10 00:41 ./var/lib/polkit-1/localauthority/10-vendor.d/com.endlessm.ParentalControls.pkla
    - configures policykit to ensure only admins can modify policies but allows users to introspect their own restrictions.
- No udev rules
- No autopkgtests
- Unit tests run during the build
- No cron jobs
- Build logs are relatively clean

- Processes spawned
  - GUI supports spawning gnome-control-center to show the user accounts
    page - this looks safe from command-injection etc.
- Memory management
  - Is written in C but uses glib/gobject APIs and appears quite defensive...

So, this seems a ack, but the libflatpak0 MIR should be dealt first. Let's put it as in progress.

What's the status here now?

AFAIU https://bugs.launchpad.net/ubuntu/+source/flatpak/+bug/1812456 needs to be completed to unblock this one here as well.

There is a discussion between Security and others - but that seems stalled for almost a year now.
Maybe worth to ping there (or the involved people) to get it back on track?