[primaeval]

Recently an addon developers' war has occured with addons deleting other addons, changing the system hosts file and other dangerous and unwanted behaviour.
http://forum.kodi.tv/showthread.php?tid=272175

Skilled developers and Team Kodi members are aware of how dangerous this behaviour is.

The proposal is to have some kind of addon permission system that limits the damage addons can do to the user's system.

Kodi is used by an estimated 12 million users, who are often naive and not fluent in English or technology.
They simply can't be expected to know the full dangers of installing the addons they read about or see videos for.

I call on the core development team to do the right thing and limit the potential damage by not only rogue addons but unexpected or faulty behaviour of official addons.

[primaeval]

I'll try to get the ball rolling.

I think the simplest quick fix would be to have the default installation run the Kodi application in a chrooted, limited user environment on every OS where possible.

It wouldn't stop the addons interfering with other addons but it could prevent some further damage to users files and identity theft.

[Kib]

I'm not going into how extremely difficult your first proposal is to implement on just a single operating system, let alone on multiple platforms.

I'll add this link that might give some background on how difficult it is to just run python in a restricted environment:
https://wiki.python.org/moin/SandboxedPython

To be honest the easiest way by far would be to implement "no external add-ons unless they are signed" and sign all add-ons.
That however would require a automated way to review and sign external add-ons.

[primaeval]

I'm not going into how extremely difficult your first proposal is to implement on just a single operating system, let alone on multiple platforms.

I'll add this link that might give some background on how difficult it is to just run python in a restricted environment:
https://wiki.python.org/moin/SandboxedPython

To be honest the easiest way by far would be to implement "no external add-ons unless they are signed" and sign all add-ons.
That however would require a automated way to review and sign external add-ons.

Very interesting read. Thank you.

The strongest idea there seems to be for using OS supplied restrictions like chroot jails.

Doesn't Android have every app as a different limited user?

Something to consider is having the addons run under a very limited user account and having to ask for information from the Kodi core application via a specific secure api. Effectively using Kodi like the trusted Linux kernel and running addons like user applications.

It would be great to have some input from computer scientists and Unix gurus. They could probably knock up a solution in an hour or so.

[Memphiz]

chroot is the easiest - for sandboxing single addons the first approach would be to not let them run as threads inside of the kodi process but let them run as own processes - interacting with kodi via some ipc mechanism. Someone is working on this - but there are operating systems where this is not allowed (android and ios prevent starting processes from a process...) - even then the addons are not restricted - they are just own processes (which will look very funny or like 1000 virusses inside the windows taskmanager btw). Restriction by process could then be handled via chroot jails for example. But thats linux only (nothing like that on windows, ios and android - unsure about osx).

[primaeval]

chroot is the easiest - for sandboxing single addons the first approach would be to not let them run as threads inside of the kodi process but let them run as own processes - interacting with kodi via some ipc mechanism. Someone is working on this - but there are operating systems where this is not allowed (android and ios prevent starting processes from a process...) - even then the addons are not restricted - they are just own processes (which will look very funny or like 1000 virusses inside the windows taskmanager btw). Restriction by process could then be handled via chroot jails for example. But thats linux only (nothing like that on windows, ios and android - unsure about osx).

Cygwin or Gow have chroot for Windows so it must be possible.
https://github.com/bmatzelle/gow
from
http://serverfault.com/questions/161507/...-to-chroot

[Lunatixz]

I don't believe sandboxing is the solution, it's not worth the headache coding in order to protect users from third-party plugins which are only available through unofficial means and almost always contain illegal media... and... less likely to contain malicious code to begin with.

I think a simple solution is plugin authentication, developers get their plugins whitelisted... and a option for users similar to android "allow unknown sources" is added to bypass authentication.

or a simpler solution is an "Unoffical" Offical Kodi repo, for those plugins that don't meet the STRICT kodi guidelines but also don't supply illegal media or malicious code.

Everything else should be ignore, there is risk when installing any software... and the risk increases when knowingly installing software that contains piracy.

[primaeval]

I don't believe sandboxing is the solution, it's not worth the headache coding in order to protect users from third-party plugins which are only available through unofficial means and almost always contain illegal media... and... less likely to contain malicious code to begin with.

I think a simple solution is plugin authentication, developers get their plugins whitelisted... and a option for users similar to android "allow unknown sources" is added to bypass authentication.

or a simpler solution is an "Unoffical" Offical Kodi repo, for those plugins that don't meet the STRICT kodi guidelines but also don't supply illegal media or malicious code.

Everything else should be ignore, there is risk when installing any software... and the risk increases when knowingly installing software that contains piracy.

I expect you are not alone in thinking its a lot of work for addons that aren't endorsed by Kodi.

But while Kodi provides an open addon architecture you can't really expect everyone to not give in to the temptation of installing one or two addons to find some free content, can you? I saw your posts about the ambiguity of the official addons breaking Terms and Conditions too, so it is not a moral or legal black and white issue. Ripping CDs is still illegal in the UK.

If Kodi does authenticate Unofficial Official addons it opens itself to legal problems so that is going to be hard to do.

I was hoping there was a simple method to block addons from anywhere but their own addon_data directory without permission.
Many addons store fairly sensitive passwords to places like Youtube or Facebook which could result in some malicious posting behaviour if stolen.
But it seems like python can't do that without sandboxing, which is why I went with that option.

What do you think about just trying to limit the whole Kodi application so the addons can't access anywhere outside their userdata folder unless to list read only media directories or by sending the url to the Kodi core for playback? All database calls have to go through rpc. Effectively enforcing the addon guidelines in code.

[Lunatixz]

I don't believe sandboxing is the solution, it's not worth the headache coding in order to protect users from third-party plugins which are only available through unofficial means and almost always contain illegal media... and... less likely to contain malicious code to begin with.

I think a simple solution is plugin authentication, developers get their plugins whitelisted... and a option for users similar to android "allow unknown sources" is added to bypass authentication.

or a simpler solution is an "Unoffical" Offical Kodi repo, for those plugins that don't meet the STRICT kodi guidelines but also don't supply illegal media or malicious code.

Everything else should be ignore, there is risk when installing any software... and the risk increases when knowingly installing software that contains piracy.

I expect you are not alone in thinking its a lot of work for addons that aren't endorsed by Kodi.

But while Kodi provides an open addon architecture you can't really expect everyone to not give in to the temptation of installing one or two addons to find some free content, can you? I saw your posts about the ambiguity of the official addons breaking Terms and Conditions too, so it is not a moral or legal black and white issue. Ripping CDs is still illegal in the UK.

If Kodi does authenticate Unofficial Official addons it opens itself to legal problems so that is going to be hard to do.

I was hoping there was a simple method to block addons from anywhere but their own addon_data directory without permission.
Many addons store fairly sensitive passwords to places like Youtube or Facebook which could result in some malicious posting behaviour if stolen.
But it seems like python can't do that without sandboxing, which is why I went with that option.

What do you think about just trying to limit the whole Kodi application so the addons can't access anywhere outside their userdata folder unless to list read only media directories or by sending the url to the Kodi core for playback? All database calls have to go through rpc. Effectively enforcing the addon guidelines in code.

The issue of password security is well known to developers... its really easy to steal plugin configurations, I always recommend developers encode password strings (not 100% secure but enough to keep generic password sniffing from working).

I personally don't like restricting Kodi at all and especially solely on the threat of malicious code. It will only lead to a tit for tat battle to keep the security valid while malicious coders work to break it. Python is an open gateway to a user's data. Common sense is important, stay away from bulk plugin installers, repos and packages. Only download third-party repos from trusted developers... Every end users should know this.

[Ned Scott]

or a simpler solution is an "Unoffical" Offical Kodi repo, for those plugins that don't meet the STRICT kodi guidelines but also don't supply illegal media or malicious code.

I've been a big fan of this idea for a while ;)

However, it would need to be fully unofficial. This would allow for a single repository for all sorts of things (especially modded skins) and be allowed in discussions on the Kodi forum/wiki/etc.

That being said, having some kind of sandboxing or other type of protection is still a good idea. There are cases where an add-on could delete/modify something by accident, rather than being an intentional and malicious attack. Simple mistakes are much harder to catch in any vetting process.

[sarbes]

Recently an addon developers' war has occured with addons deleting other addons, changing the system hosts file and other dangerous and unwanted behaviour.
http://forum.kodi.tv/showthread.php?tid=272175

The hosts file is protected, so there is nothing to worry there.

The core "problem" is the unlimited access to the (Kodi) filesystem. Would it be possible to remove the "os" module and restrict/deny access to some folders/subfolders of the vfs? I don't see any reason for normal add-ons to access the ".kodi" dir, with the exception of "addon-data/ADDONNAME". There are some special add-ons which would require more "rights", but this would be a start to contain things like password theft.

But really, I don't know if this is worth the effort.

[MrMC]

death to python... oh wait, already did that

[ironic_monkey]

sandboxing of python isnt impossible to realize if one can drop useless oses. jfcarroll had a working prototype executing python in a separate process. there is no sensible way to sandbox things living in the same memory space so this is a huge part of the puzzle. but ios cant do such things so work on it halted.

[MrMC]

hahahaa, sure there is