libmalcontent implements parental controls support which can be used by applications to filter or limit the access of child accounts to inappropriate content.
Go to file
Christopher Davis d11e609543 dependencies: Add libhandy as a subproject
Allows for building on systems that don't ship libhandy
or a version of libhandy that's new enough.
2022-07-20 19:23:12 -03:00
.gitlab-ci libmalcontent-ui: Port to libappstream 2022-07-13 15:26:12 +01:00
accounts-service Remove superfluous arguments to i18n.merge_file 2022-01-13 09:50:05 +01:00
build-aux build: Only update post-install caches when they exist 2020-04-05 10:52:05 +02:00
help Update Russian translation 2022-06-05 11:43:28 +10:00
libmalcontent libmalcontent: Add mct_app_filter_equal() comparison method 2020-11-03 17:49:00 +00:00
libmalcontent-ui dependencies: Add libhandy as a subproject 2022-07-20 19:23:12 -03:00
malcontent-client malcontent-client: Add newer subcommands and examples to man page 2020-10-27 18:26:51 +00:00
malcontent-control dependencies: Add libhandy as a subproject 2022-07-20 19:23:12 -03:00
pam tests: Respect pamlibdir in installed tests 2020-04-28 13:57:29 +01:00
po libmalcontent-ui: Port to libappstream 2022-07-13 15:26:12 +01:00
subprojects dependencies: Add libhandy as a subproject 2022-07-20 19:23:12 -03:00
tools build: Port meson-make-symlink script to Python 2019-12-02 22:57:13 +08:00
.gitlab-ci.yml libmalcontent-ui: Port to libappstream 2022-07-13 15:26:12 +01:00
COPYING Initial commit of README and COPYING 2018-09-24 15:35:58 +01:00
COPYING-DOCS help: Add a basic user manual for malcontent-control 2020-04-03 15:08:47 +01:00
HACKING.md docs: Document terminology used in the project 2020-10-28 17:01:44 +00:00
NEWS 0.10.5 2022-05-31 13:56:40 +01:00
README.md libmalcontent-ui: Port to libappstream 2022-07-13 15:26:12 +01:00
malcontent.doap docs: Tidy up wording in DOAP file 2020-10-28 16:35:18 +00:00
meson.build dependencies: Add libhandy as a subproject 2022-07-20 19:23:12 -03:00
meson_options.txt Add option to tweak privileged group in polkit rules 2020-06-18 03:35:36 +07:00
template.test.in libeos-parental-controls: Add placeholder unit tests 2018-10-06 00:48:36 +01:00

README.md

malcontent

malcontent implements support for restricting the type of content accessible to non-administrator accounts on a Linux system. Typically, when this is used, a non-administrator account will be for a child using the system; and the administrator accounts will be for the parents; and the content being filtered will be apps which are not suitable for the child to use, due to (for example) being too violent.

It provides an accounts-service vendor extension for storing an app filter to restrict the childs access to certain applications; a simple library for accessing and applying the app filter; and a UI program (malcontent-control) for viewing and changing the parental controls settings on users.

The parental controls policy is stored in /var/lib/AccountsService/users/${user}, which is a key file readable and writable only by the accounts-service daemon. Access to the data is mediated through accounts-services D-Bus interface, which libmalcontent is a client library for.

All the library APIs are currently unstable and are likely to change wildly.

Two kinds of policy are currently supported:

  • A filter specifying whether installed applications are allowed to be run; this is typically set up to restrict access to a limited set of already-installed applications — but it can be set up to only allow access to a fixed list of applications and deny access to all others. Applications which are not currently installed are not subject to this filter.
  • A set of mappings from OARS categories to the maximum ratings for those categories which are permissible for a user to install apps with. For example, a mapping of violence-realistic=mild would prevent any applications containing more than mild violence from being installed. Applications which are already installed are not subject to this filter.

Additional policies may be added in future, such as filtering by content type or limiting the amount of time a user is allowed to use the system for.

Any application or service which provides the user with access to content which should be parentally filtered is responsible for querying the users parental controls filter and refusing to provide the content if not permitted by the filter. This could mean refusing to launch a flatpak app, hiding a search result in gnome-shell, or hiding an app in gnome-software because of its high OARS rating.

A sufficiently technically advanced user may always work around these parental controls. malcontent is not a mandatory access control (MAC) system like AppArmor or SELinux. However, its correct use by applications should provide enough of an obstacle to prevent users easily or accidentally having access to content which they shouldnt.

Development principles

malcontent exists to make it easier for parents to responsibly set limits on what their children can do on the computer (similarly, for other carer/caree relationships). It should provide guidance on, and nudge parents towards, following the best practice for discussing, choosing and setting restrictions on their childs computer use.

Restrictions should be supported which allow giving children access to material which is appropriate to their age/stage of development, but which can restrict access to other material so they are not overwhelmed with too many, or too complex, ideas for their stage of development. Similarly, restrictions should be supported to control unsupervised communication with unknown people online, as being coerced or bullied is one of the more common harms for children online.

Best practices should be research and evidence-based, and supported by large international or national childrens organisations or charities. They may change over time.

malcontent is a tool to help with a social problem. In the hands of a bad parent, it can be used to do bad things. Features in malcontent should be designed with that in mind, such that if they are used maliciously, they should not give the parent radically more power over their child than they would have had without malcontent.

Example usage

malcontent ships a malcontent-client application which can be used to get and set parental controls policies for users.

$ # This sets the parental controls policy for user philip to allow no \\
    installation of apps with anything more than none for realistic violence, \\
    and to blocklist running the org.freedesktop.Bustle flatpak:
$ malcontent-client set philip \\
    violence-realistic=none \\
    app/org.freedesktop.Bustle/x86_64/stable
App filter for user 1000 set

With that policy in place, other applications which are aware of malcontent will apply the policy:

$ flatpak run org.freedesktop.Bustle
error: Running app/org.freedesktop.Bustle/x86_64/stable is not allowed by the policy set by your administrator

Development

When developing malcontent, you should be able to run an uninstalled version of malcontent-client or malcontent-control, as long as the polkit files from accounts-service/ and malcontent-control/org.freedesktop.MalcontentControl.policy.in have been installed system-wide (typically under /usr/share/polkit-1) where your system copy of polkitd can find them.

Dependencies

  • accounts-service
  • appstream
  • dbus-daemon
  • flatpak
  • gio-2.0 ≥ 2.60
  • gio-unix-2.0 ≥ 2.60
  • glib-2.0 ≥ 2.60
  • gobject-2.0 ≥ 2.60
  • gtk+-3.0
  • polkit-gobject-1

Licensing

All code in the libraries in this project is licensed under LGPL-2.1+. Code in the malcontent-control application is licensed under GPL-2.0+. See COPYING and the copyright headers in individual files for more details.

Bugs

Bug reports and patches should be filed in GitLab.