I do think the proper way is to add an extract API and I also agree that we don't want to expose untrusted content extraction to unconfined processes. We are doing a pretty good job with media-hub, mediascanner, gallery, webapps, thumbnailing, etc with processes and untrusted input, so we shouldn't be lax here.
That said, this is not particularly difficult to secure-- add an extract API, have the download manager call out to a helper program that is confined. This helper program should only write out to specific folder such as /run/user/*/content-extractor so we could have rules like:
/run/user/*/content-extractor/ rw,
/run/user/*/content-extractor/** rw,
When the extractor is done extracting, the content-hub can move the extracted files into place. Note: '/run/user/*/content-extractor/' is just an example, point is, we don't want the extractor extracting to all over the filesystem-- have the extractor extract to somewhere safe and let content-hub do the moving around.
I do think the proper way is to add an extract API and I also agree that we don't want to expose untrusted content extraction to unconfined processes. We are doing a pretty good job with media-hub, mediascanner, gallery, webapps, thumbnailing, etc with processes and untrusted input, so we shouldn't be lax here.
That said, this is not particularly difficult to secure-- add an extract API, have the download manager call out to a helper program that is confined. This helper program should only write out to specific folder such as /run/user/ */content- extractor so we could have rules like: user/*/ content- extractor/ rw, user/*/ content- extractor/ ** rw,
/run/
/run/
When the extractor is done extracting, the content-hub can move the extracted files into place. Note: '/run/user/ */content- extractor/ ' is just an example, point is, we don't want the extractor extracting to all over the filesystem-- have the extractor extract to somewhere safe and let content-hub do the moving around.