Autostart and MAC security

[Mike Hearn]

One thing that's worth considering here is security - on Windows the
ability for apps to register themselves as auto-startable in many
different places has been an attack vector for malware.

Right now Linux is in the same situation, you could make an app auto-start
by abusing:

- session management
- various $HOME dotfiles (.xsession, .profile ?)
- gnome/kde specific mechanisms for this
- and now this spec

It's legitimate for apps to auto-start themselves at login time, but it
needs to be carefully controlled so apps cannot do it without the user
knowing.

Obviously if an app is installed as root via RPM or whatever then it's
game over. But it's possible for malware to be installed via other routes:
browser/email exploits, running saved attachments, whatever. And actually
on Windows that's often what happens.

Frameworks like SELinux or AppArmor can help prevent this - if only a
certain program, say /usr/bin/register-autostart can write to
~/.config/autostart and no other programs run with regular user privs can,
then this register-autostart program can pop up a GUI saying "Do you
really want $XYZ program to auto-start? Yes/No" giving users a chance to
veto this request. OK it may not help /much/ but it might help a bit.

Adapting the spec to have this wouldn't be hard, just say that apps
are not allowed to write directly to ~/.config/autostart, and that if they
wish to register/unregister autostart after the fact (from their prefs
window for instance) they must do it via a command line app.

Anyway it's worth considering this sort of approach for future specs as
well. Routing configuration tasks via a program could help fend off
malware in future.

thanks -mike