[chongli]

No, what I’m asking is: why does the operating system allow the video player to do anything other than what it needs to do to play videos? If the video player suddenly starts trying to access files on its own (anything not explicitly chosen by the user through system file dialog) or trying to access the internet then the user should be prompted to give permission.

We have this kind of API permission (capability) system on phones. Why can’t we have a really fine-grained one on desktops? It’s like a firewall for APIs.

[MobiusHorizons]

The ux you are describing is a lot worse than what people get with vlc or mplayer. For example, you can open videos from the cli, which means there is no file chooser involved. Also if you have a subtitle file (.srt) with the same name as the video you opened, the subtitles will automatically be added. Both of these are things people want as part of a versatile video player.

The level of lockdown you were describing is what we have on mobile platforms (which incidentally still have lots of malware). Generally speaking, people want more flexibility out of general purpose computers.

On the other hand something like pledge would be useful here, since the attack vector is untrusted files, not untrusted applications. With pledge, the application could open any files, then relinquish the ability to open new files before parsing the contents.

[chongli]

The level of lockdown you were describing is what we have on mobile platforms (which incidentally still have lots of malware). Generally speaking, people want more flexibility out of general purpose computers.

I expected this response. I think it's a false equivalence. We don't need to have a proprietary locked-down operating system like iOS in order to give the user full control over the capabilities an application has access to. We just need a standard API for handling these sorts of permissions.

[MobiusHorizons]

Granularity is usually the problem here. It is very difficult to fully specify the full set of things you expect a program to be able to do. Even if you could, it is not usually something an end-user will want to do, due to the verbosity involved. Permissions are also time / sequence dependent. If you have something that can specify the user's expectations fully, it will be very verbose due to the inherent complexity, so the system will either be unused, default to overly broad permissions lists, or rely on trusting various pre-baked recipes that others have made. At that point I'm not sure how much you have gained for the average user, and it seems you lose some very real usability in the process.

Curious to hear how you would go about solving this problem. It seems that there is just a lot of inherent complexity here and I can't see any way to avoid that complexity without preventing the system from being useful.

[bobdvb]

Decoding the video involves hardware acceleration, so data is not just processed at the application layer, it's passed much deeper. In very specific and rare attacks, it's been possible to bypass application and even OS level protections by crafting media files. So that when they're processed there's an overflow which dumps some payload into unprotected memory and allows some intrusion into the viewers system. This has been done with photos, general images and videos.

It's not reliable unless you happen to know the specific, unpatched exploit on the target system. There aren't general purpose vulnerabilities for such things.

[vel0city]

Many times these kinds of attacks are buffer overflows, tricking the hardware/OS to execute code it wasn't intending. Its not just that the media player starts to behave strangely, often the attack corrupts code outside the media player. See the Android Mediaserver vulnerabilities, or many of the buffer overflow vulnerabilities in ffmpeg.

If an attack corrupts how the OS checks permissions, it doesn't matter if you've got some API framework for calls, it broke out of it.

[1317]

both of those examples happen within normal usage

file system for finding external subs (or like, playing the video)

internet for streaming

and then oh look, it has the permission