Parental control

I still don’t understand what Jolla has to do in this area, but I suppose you’re speaking about the Kids Mode app. If yes, then the sources are here: GitHub - anigaj/kids-mode: Kids mode for sailfish OS

No, I meant “multi-user” mode:

Or am I wrong in thinking that this could be an option to set appropriate access rights/access times, etc.?

Right, it is useful and help restricting some things.

Oh, I see now. Yeah, could be interesting. Can you open a new thread specific titled “Open-source multi-user to include parental control features”, please? So we can keep every threads clean

But remember that only the main user can use AppSupport APIs, (=androids apps).

The simplest ‘parental control’ would be tweaking connman into using ‘family’ dns (like adguard), limit your kid from terminal and bam it can’t reach any adult site, for time-limits on social media of course that won’t work, but the base ‘cut adult sites for x user account’ it’s practically there
Edit: of course it’s not there yet for GUI, as you’d need to add some systemd service that tweaks connman-control per user and… But the basic ‘cut out adult sites for kid user’ is not that hard to implement

Or can use ctrld for more advanced DNS filtering

I’ve no clue, still dns based so should be fine? At least for adult-themed sites, still a better way to approach the subject than expecting everyone to provide their ID and picture/video of themselves to access anything just because you’re too lazy to parent your offspring, ‘just let gov do what it wants, have no time’ is a bane to society

this thread is likely a duplicate from:

https://forum.sailfishos.org/t/multi-user-restrict-apps-per-user-possible/

Anyhow Nephros here had a good point, you can hide any app from the launcher for a kid user:

If just for the sailfish browser, you can tweak it with about:config to use adguard familly dns.

Set these options in about:config.

1. Open about:config

2. Type network.trr.mode

3. Set Value to 3

4. Type network.trr.custom_uri

5. Set Value to https://family.adguard-dns.com/dns-query

Just for kicks I played around with the Sailfish Policy (MDM) framework.

I have made a PoC application that can switch on/off the exisiting supported Policy settings.

I’ll have to clean it up a bit but then the code will appear in this repo:

Notes:

1. This app is SETUID root. THIS IS BAD, BAD, BAD! Caveat usor.
   (The reason for this is write access to the policy location (/var/lib/policy, which is writable by root and the special group sailfish-mdm. That group has special properties and I don’t want to deal with that currently, therefore the binary runs setuid root. Maybe setgid sailfish-mdm would suffice.)
2. In the current implementation, only Browser and Camera can be switched on/off. The rest is an exercise for anyone expanding on this code. See src/main.cpp and src/wrapper.h for the very simple magic, and refer to this for the missing calls.
3. This is an experimental PoC or example or experiment. There’s no indication that this is a good way to go about it (in fact the MDM documentation if I read it right sais it is not).
4. I will not provide a runnable binary or installable package for this. You are on your own, and need to do your own tests.
   That being said, you can compile on-device using
   rpmbuild -bb --build-in-place rpm/*.spec |tee build.log 2>&1,
   as long as you have installed the necessary dependency packages.

I’ll just kick in here to state that parental control is best achieved by:

1. Limiting access to WLAN/WIFI
2. Limiting access to Mobile Data
3. DNS blocks (I use hosts + local DNS server)

That said, I have a 13 year old Gamer child. It is a never ending battle. There is no button to solve that problem. Of course, I could just say NO. BUT, when I was 13, I modified my Passport to get into the bar. This worked until my fathers’ (adult) students snitched on me. I got around this the next year when (in Canada) I did my ‘Learners Driver’s License’ I modified that. I’m a hacker. In short, it’s very clear to me that this very idea of ‘parental control’ needs to be treated with a little more consideration. I have been very open about access and times with my son, with the proviso that it all depends, young man, on what your grades look like … yada, yada. I think (we’ll see in a few years) that the carrot is the better means than the stick. I’ll footnote that I was raised in a strongly religious environment, a guarantee you’re going to produce a criminal mind.

Thank you for your openness – I am also aware that children need to be guided with care and openness at the beginning. I still think that I am one step ahead of my children when it comes to networking skills, etc. However, a possible time limit for apps would make life much easier for me and my wife without, for example, immediately losing the option for the children to make phone calls. And as long as this could be done without Google, so much the better …

I wonder if this isn’t possible with simple systemd units (searches for @nephros ) It could be a very simple approach that’s easy to develop and non-invasive where the system as a whole is concerned. That should work till they’re about 12 (sorry for the overly broad assumptions

@nephros, can applications obtain a view of what applications are installed? I think not, since that would be breaking out of jail? I wonder. @slava has a mechanism for including apps, based on an entry in a desktop file (I believe) which allows you to include it for his config backups app … here I go ….

That is only if children today do not have older friends.
Or how do you think we used to get all the booze back in the day?

Fake ID The cigarettes I got from the 14 year olds. Who got them from the older siblings.

For reference, I’m reading @slava ‘s harbour-mybackup/src/ApplicationModel.h at master · monich/harbour-mybackup · GitHub which leads me to believe an app listing view could be done but NOT with the sailjail sandbox

Weell, You can always poke holes through the sandbox by making an app profile. But of course that leads to no-harbour.

You can get a list of all apps known to Sailjail (i.e. basically all apps which have a .desktop file) using its dbus interface:

    DBusInterface {
        id: jailBus
        bus: DBus.SystemBus
        service: "org.sailfishos.sailjaild1"
        path: "/org/sailfishos/sailjaild1"
        iface: "org.sailfishos.sailjaild1"
    }

function listApps() {
    jailBus.call("GetApplications", [],
        function(r) {
            // returns array-of-string
            r.forEach(function(a) { appInfo(a) } )
        },
        function(e,m) { console.warn("E:", e, m) }
    )
 }

function appInfo(app) { console.debug(JSON.stringify(app,null,2)) }

// you can get details per app with another call:
/*
function appInfo(app) {
    jailBus.call("GetAppInfo", [ app ],
        // returns a{sv}, so a list of objects.
        function (r) {
            // do something here
            console.debug(JSON.stringify(r,null,2))
        },
        function(e,m) { console.warn("E:", e, m) }
    )
}
*/

You need to be able to talk to the System bus and that sailjail interface, therefore your sailjail app profile needs this:

# -*- mode: sh -*-

# Firejail profile for my-app

## PERMISSIONS
# x-sailjail-permission = Base

# if we provide a profile, and are QML only we need to whitelist this:
private-bin /usr/bin/sailfish-qml

# Allow ipc with sailjail daemon.
dbus-system.talk org.sailfishos.sailjaild1
dbus-system.call org.sailfishos.sailjaild1=org.sailfishos.sailjaild1.*@/*

OR, alternatively, your app must be run through a booster, because boosted applications gain the capability to talk to the sailjaild dbus per default:

grep booster /etc/sailjail/permissions/*
cat /etc/sailjail/permissions/booster.inc

Thank you! This is what I was hoping for, but ignorant of ….