A system for controlling what can be done within a desktop session, to be used as a parental control system for example.
- Not just internet filtering (e.g. DansGuardian) but also control over which local applications can be run
- Require root access to disable or reconfigure. (Not yet achieved)
- As simple as possible to set up and maintain
Install the desktop-control.sh script for the target user(s).
Open any windows that should always be allowed.
Run xdotool search --sync --onlyvisible . getwindowname %@ > allowed.patterns
Edit allowed.patterns to taste. Each line will be interpreted as a pattern so *, ?, [, +, @, and ! have special meaning.
Run desktop-control.sh & and do everything that should be allowed. Open permitted apps and exercise them as should be allowed. Do any configuration that should be allowed (e.g. configure a new WiFi connection). The names of any windows that are closed will be added to closed.names. Copy the ones you want to allow into allowed.patterns and edit to taste.
To stop the desktop-control.sh script run killall desktop-control.sh.
The desktop-control.sh script periodically (every 3 seconds) runs xdotool to get the titles of all windows. The titles of any windows that don't match a regular expression in allowed.patterns are added to closed.names and closed.
Don't close any windows if allowed.patterns doesn't exist.
Use pam_script to automatically run desktop-control.sh upon login and kill it on logout
Prompt the user before closing the window to allow an admin to override for a specific window and/or add it to the whitelist.
Provide a graphical tool for modifying the whitelist.