Run all thumbnailers in an isolated Oz sandbox (or disable or remove thumbnailers)

[DonnchaC]

Thumbnailers present a significant attack surface for exploitation. The automatically parse (many) binary file formats including obscure formats which are seldom used. The thumbnailers are run automatically on files when their directory is viewed in Nautilus or in another file managers.

It would be good to at least run all of the default thumbnails in an Oz sandbox. I think the Evince is already being run under Oz? It might also be a good idea to disable thumbnailing completely for non-standard format. Who really needs a thumbnail for .pcf fonts or the .cbz comic book format for example?

• [ ] evince.thumbnailer
• [ ] gnome-font-viewer.thumbnailer

Is there any other default thumbnailers shipped with Subgraph that I'm missing?

[xSmurf]

It might also be a good idea to disable thumbnailing completely [...]

I, for one, favor this option.

[dma]

Agree, we should remove both thumbnailers immediately due to their both being sketchy and offering little/zero value. One way to do this is just to remove the files from /usr/share/thumbnailers/. I am surprised we had not already done so. @DonnchaC, long term we're sandboxing Nautilus and making some other big changes.

[kibal]

On current systems evince.thumbnailer is currently diverted and wrapped with oz. gnome-font-viewer.thumbnailer is not diverted and is not sandboxed with oz.

Pushing a configuration option to disable thumbnailing could happen in the subgraph-defaults package.

[mckinney-subgraph]

We have this setting already in subgraph-defaults:

[org.gnome.desktop.thumbnailers] disable-all=true

We should evaluate if this actually works as expected.

Actually removing the thumbnailers is not as easy, since they ship with individual packages that are installed by default already or could be installed by a user at any point.

This is the list of the current list of packages that install thumbnailers:

$ apt-file search /usr/share/thumbnailers
atril-common: /usr/share/thumbnailers/atril.thumbnailer
blender-data: /usr/share/thumbnailers/blender.thumbnailer
dia-common: /usr/share/thumbnailers/dia.thumbnailer
evince: /usr/share/thumbnailers/evince.thumbnailer
ffmpegthumbnailer: /usr/share/thumbnailers/ffmpegthumbnailer.thumbnailer
geogebra-gnome: /usr/share/thumbnailers/geogebra.thumbnailer
gnash: /usr/share/thumbnailers/gnash.thumbnailer
gnome-exe-thumbnailer: /usr/share/thumbnailers/exe-dll-msi.thumbnailer
gnome-font-viewer: /usr/share/thumbnailers/gnome-font-viewer.thumbnailer
gnome-hwp-support: /usr/share/thumbnailers/hwp-thumbnailer.thumbnailer
gnome-nds-thumbnailer: /usr/share/thumbnailers/gnome-nds-thumbnailer.thumbnailer
gnome-web-photo: /usr/share/thumbnailers/gnome-web-photo.thumbnailer
gwyddion-common: /usr/share/thumbnailers/gwyddion.thumbnailer
libgsf-bin: /usr/share/thumbnailers/gsf-office.thumbnailer
mate-control-center-common: /usr/share/thumbnailers/mate-font-viewer.thumbnailer
mypaint: /usr/share/thumbnailers/mypaint-ora.thumbnailer
pentobi: /usr/share/thumbnailers/pentobi.thumbnailer
totem-common: /usr/share/thumbnailers/totem.thumbnailer

[mckinney-subgraph]

There are also some alternative approaches to disabling thumbnailing that we can test: https://askubuntu.com/questions/518889/how-to-disable-thumbnail-generation