|
| 1 | +# Security and UX Seam Review |
| 2 | + |
| 3 | +## Component Integration Points |
| 4 | + |
| 5 | +### 1. TUI ↔ Config File (`config.toml`) |
| 6 | + |
| 7 | +**Security:** |
| 8 | +- ✓ Config file in user home (~/.config/), not world-readable |
| 9 | +- ✓ No credentials stored in config (rclone handles auth separately) |
| 10 | +- ⚠ **TODO**: Add config file validation before parsing |
| 11 | +- ⚠ **TODO**: Add file permission check (should be 0600) |
| 12 | + |
| 13 | +**UX:** |
| 14 | +- ✓ TUI reads existing config on startup |
| 15 | +- ⚠ **TODO**: Show warning if config has syntax errors |
| 16 | +- ⚠ **TODO**: Add config file backup before overwrite |
| 17 | + |
| 18 | +### 2. TUI ↔ systemd Services |
| 19 | + |
| 20 | +**Security:** |
| 21 | +- ✓ Services run as user (not root) |
| 22 | +- ✓ Services use `NoNewPrivileges=true` |
| 23 | +- ✓ `ProtectSystem=strict` limits writes |
| 24 | +- ✓ Generated services go to user's systemd dir |
| 25 | + |
| 26 | +**UX:** |
| 27 | +- ✓ Clear feedback on apply success/failure |
| 28 | +- ⚠ **TODO**: Show diff before applying changes |
| 29 | +- ⚠ **TODO**: Add rollback capability |
| 30 | + |
| 31 | +### 3. Overlay Daemon ↔ rclone RC |
| 32 | + |
| 33 | +**Security:** |
| 34 | +- ✓ Connects only to localhost |
| 35 | +- ✓ Timeouts on RC requests (2 seconds) |
| 36 | +- ⚠ **TODO**: Add authentication to RC if exposed |
| 37 | +- ⚠ **RISK**: RC port could be accessed by local malware |
| 38 | + |
| 39 | +**Mitigation**: Document that RC should bind to 127.0.0.1 only |
| 40 | + |
| 41 | +**UX:** |
| 42 | +- ✓ Graceful degradation if rclone not responding |
| 43 | +- ✓ Status caching to reduce queries |
| 44 | + |
| 45 | +### 4. Tray Daemon ↔ Health Check |
| 46 | + |
| 47 | +**Security:** |
| 48 | +- ✓ Health check is read-only |
| 49 | +- ✓ No sensitive data in status output |
| 50 | + |
| 51 | +**UX:** |
| 52 | +- ✓ Desktop notifications for status changes |
| 53 | +- ✓ Menu actions for common tasks |
| 54 | +- ⚠ **TODO**: Add notification throttling (avoid spam) |
| 55 | + |
| 56 | +### 5. SELinux Policy ↔ File Operations |
| 57 | + |
| 58 | +**Security:** |
| 59 | +- ✓ Confined rclone_t domain |
| 60 | +- ✓ Cache files labeled rclone_cache_t |
| 61 | +- ✓ Mount points labeled rclone_mount_t |
| 62 | +- ✓ Denies access to shadow/etc |
| 63 | +- ✓ Boolean tunables for debugging |
| 64 | + |
| 65 | +**UX:** |
| 66 | +- ⚠ **TODO**: Add semanage commands to install.sh |
| 67 | +- ⚠ **TODO**: Document SELinux troubleshooting |
| 68 | + |
| 69 | +### 6. Install Script ↔ Components |
| 70 | + |
| 71 | +**Security:** |
| 72 | +- ✓ Uses install(1) with explicit permissions |
| 73 | +- ✓ Doesn't require root for most operations |
| 74 | +- ✓ SELinux/audit install prompts for sudo |
| 75 | +- ⚠ **TODO**: Verify downloaded checksums if fetching |
| 76 | + |
| 77 | +**UX:** |
| 78 | +- ✓ Progress messages with colors |
| 79 | +- ✓ Uninstall option |
| 80 | +- ✓ Dry-run capability needed |
| 81 | + |
| 82 | +### 7. Nautilus Extension ↔ D-Bus |
| 83 | + |
| 84 | +**Security:** |
| 85 | +- ✓ D-Bus session bus (user only) |
| 86 | +- ✓ Read-only status queries |
| 87 | +- ⚠ Python extension runs in Nautilus process |
| 88 | + |
| 89 | +**UX:** |
| 90 | +- ✓ Emblems update automatically |
| 91 | +- ⚠ **TODO**: Handle D-Bus connection failure gracefully |
| 92 | + |
| 93 | +### 8. Watchdog Timer ↔ Services |
| 94 | + |
| 95 | +**Security:** |
| 96 | +- ✓ Only restarts services that should be running |
| 97 | +- ✓ notify-send for visibility |
| 98 | + |
| 99 | +**UX:** |
| 100 | +- ✓ 5-minute check interval (not too aggressive) |
| 101 | +- ⚠ **TODO**: Exponential backoff on repeated failures |
| 102 | + |
| 103 | +## Privilege Escalation Review |
| 104 | + |
| 105 | +| Operation | Requires sudo | Justification | |
| 106 | +|-----------|---------------|---------------| |
| 107 | +| Install binaries | No | User's ~/.local | |
| 108 | +| Install services | No | User's systemd | |
| 109 | +| Install SELinux | **Yes** | System policy | |
| 110 | +| Install audit rules | **Yes** | System audit | |
| 111 | +| Install Nautilus ext | No | User's data dir | |
| 112 | + |
| 113 | +## Data Flow Security |
| 114 | + |
| 115 | +``` |
| 116 | +User Input (TUI) |
| 117 | + ↓ |
| 118 | +Config Validation (TODO: add) |
| 119 | + ↓ |
| 120 | +Service File Generation |
| 121 | + ↓ |
| 122 | +systemd --user |
| 123 | + ↓ |
| 124 | +rclone (confined by SELinux) |
| 125 | + ↓ |
| 126 | +FUSE mount (rclone_mount_t) |
| 127 | + ↓ |
| 128 | +Cloud API (HTTPS only) |
| 129 | +``` |
| 130 | + |
| 131 | +## Recommendations for v1.0 |
| 132 | + |
| 133 | +### Must Fix Before Release |
| 134 | + |
| 135 | +1. **Config validation**: Add schema validation before parsing |
| 136 | +2. **Permission checks**: Verify config file permissions |
| 137 | + |
| 138 | +### Should Fix (can be post-v1.0) |
| 139 | + |
| 140 | +1. Add notification throttling |
| 141 | +2. Add config backup before overwrite |
| 142 | +3. Add change diff preview |
| 143 | +4. Document SELinux troubleshooting |
| 144 | + |
| 145 | +### Nice to Have |
| 146 | + |
| 147 | +1. Dry-run for install script |
| 148 | +2. Exponential backoff in watchdog |
| 149 | +3. RC authentication support |
| 150 | + |
| 151 | +## UX Improvements Identified |
| 152 | + |
| 153 | +1. **Error messages**: Make validation errors more helpful |
| 154 | +2. **First-run experience**: Detect if rclone not configured |
| 155 | +3. **Status bar**: Show sync progress in TUI |
| 156 | +4. **Keyboard shortcuts**: Document all shortcuts in TUI header |
| 157 | + |
| 158 | +## Conclusion |
| 159 | + |
| 160 | +The v1.0 architecture is sound with appropriate security boundaries. The main gaps are: |
| 161 | +- Input validation for config files |
| 162 | +- Some edge cases in error handling |
| 163 | + |
| 164 | +Recommend proceeding with v1.0 release after adding config validation. |
0 commit comments