Parental Controls integration in Ubuntu using malcontent

The following is a review of the new parental control features coming to GNOME and what we need to do to ensure it is well integrated into Ubuntu desktop. This page may become out of date as new information is learnt or projects develop.

Current system

  • The parental controls project is Malcontent, developed by Endless, primary developer Philip Withnall.
  • Uses an AccountsService vendor extension to store policy on user accounts:
$ gdbus call --system --dest org.freedesktop.Accounts --object-path /org/freedesktop/Accounts/User1001 --method org.freedesktop.DBus.Properties.Get 'com.endlessm.ParentalControls.AppFilter' 'AppFilter'
(<(false, ['app/org.gnome.Calculator/x86_64/stable'])>,)
  • The app filter (example above) contains either Flatpak refs (app/org.gnome.Calculator/x86_64/stable) or full paths (/usr/bin/gnome-calculator). It does not use/support AppStream IDs, desktop IDs or Snap names at this time.
  • Applications or services that provide access to content that should be filtered need to access AccountsService to check the filters - malcontent helps to put barriers up to users but doesn’t guarantee that content is not accessible.
  • The malcontent project provides a graphical tool for configuring parental controls. It only shows apps that are Flatpaks (detected using the X-Flatpak key in the desktop file) or desktop files that have to X-Parental-Controls key set to anything other than none.
  • gnome-shell checks the filters to limit what applications are shown.
  • gnome-control-center filters the applications panel using malcontent. The user panel shows parental control status and launches the malcontent tool when selected:
  • gnome-software filters applications both locally and remotely (based on OARS ratings).
  • The Flatpak command line tool filters applications both locally and remotely.
  • There is a PAM module (part of malcontent project) that acts on the malcontent time restrictions.

What integrations we may need in Ubuntu

  • Ensure that gnome-shell, gnome-software and gnome-control-center are all compiled with malcontent support. This will require malcontent to be in main.
  • We will need to distribute the malcontent PAM module by default if we want time restrictions.
  • We may want to modify the snap run command to check malcontent (otherwise users can get around the limitation if they use the command line).
  • To make snaps show up in the malcontent configuration tool we need snaps to set the X-Parental-Control key set in snap .desktop files OR we need to make malcontent understand snap desktop files (using the X-SnapInstanceName key).
  • If we want OARS content rating support with snaps, this would need integration end-to-end from the Snap Store service to snapd and any snapd clients (e.g. the Snap Store app).
1 Like

We would be interested in supporting this as well in Ubuntu Budgie.

From the above the only bits that we think we need to worry about are

  1. the gnome-shell changes that need to be added to budgie i.e. gnome-software and gnome-control-center are part of our desktop.
  2. the PAM module - is this specific to GDM3? UB using lightdm.

So as more info becomes available please can you share what changes gnome-shell are making to support malcontent?

There is a snapcraft forum post to discuss the snap work that would be needed there

The malcontent MIR would require to promote libflatpak (or patch out the code to use the command line utility or something)

1 Like

I believe that the gnome-shell changes are already landed. The shell just checks malcontent and hides applications that are not allowed.

The PAM module is not specific to any login manager - it will disallow any logins once the time limit is exceeded (including command line). Systemd handles logging out the user when the time limit is reached.

This only works for systemd-handled session, correct? Not if connected on a tty1 (login) or sudo session?

Locking would be more appropriate, right ?

Yes, the malcontent PAM module sets a variable that the systemd module handles. I don’t know more detail beyond that though.

I’m not sure what the systemd module does - it might just lock the session.

1 Like

I talked with Phillip and he said “the time-limited session feature in malcontent is not finished yet. The PAM module is complete, but we still need some infrastructure to store the user’s cumulative session time so we know what residual time limits to apply to each new session. … For the moment, I recommend you disable the PAM module, unless you’re going to work on integrating it.”

1 Like