Comment 6 for bug 1365993

I do think the proper way is to add an extract API and I also agree that we don't want to expose untrusted content extraction to unconfined processes. We are doing a pretty good job with media-hub, mediascanner, gallery, webapps, thumbnailing, etc with processes and untrusted input, so we shouldn't be lax here.

That said, this is not particularly difficult to secure-- add an extract API, have the download manager call out to a helper program that is confined. This helper program should only write out to specific folder such as /run/user/*/content-extractor so we could have rules like:
  /run/user/*/content-extractor/ rw,
  /run/user/*/content-extractor/** rw,

When the extractor is done extracting, the content-hub can move the extracted files into place. Note: '/run/user/*/content-extractor/' is just an example, point is, we don't want the extractor extracting to all over the filesystem-- have the extractor extract to somewhere safe and let content-hub do the moving around.