A system for controlling what can be done within a desktop session, to be used as a parental control system for example.
- Not just internet filtering (e.g. DansGuardian) but also control over which local applications can be run
- Require root access to disable or reconfigure. (Not yet achieved)
- As simple as possible to set up and maintain
Install the desktop-control.sh script for the target user(s).
Open any windows that should always be allowed.
Run xdotool search --sync --onlyvisible . getwindowname %@ > allowed.patterns
Edit allowed.patterns
to taste. Each line will be interpreted as a pattern so *
, ?
, [
, +
, @
, and !
have special meaning.
Run desktop-control.sh &
and do everything that should be allowed. Open permitted apps and exercise them as should be allowed. Do any configuration that should be allowed (e.g. configure a new WiFi connection). The names of any windows that are closed will be added to closed.names
. Copy the ones you want to allow into allowed.patterns
and edit to taste.
To stop the desktop-control.sh script run killall desktop-control.sh
.
The desktop-control.sh script periodically (every 3 seconds) runs xdotool to get the titles of all windows. The titles of any windows that don't match a regular expression in allowed.patterns
are added to closed.names
and closed.
Don't close any windows if allowed.patterns
doesn't exist.
Use pam_script to automatically run desktop-control.sh upon login and kill it on logout
Prompt the user before closing the window to allow an admin to override for a specific window and/or add it to the whitelist.
Provide a graphical tool for modifying the whitelist.