← Back to team overview

desktop-packages team mailing list archive

  1. desktop-packages team
  2. Mailing list archive
  3. Message #97136

[Bug 1415492] [NEW] Create a trusted socket for privileged processes

  Thread PreviousDate PreviousThread Next 
Public bug reported:

We want to let privileged processes (such as those using the
"unconfined" profile template) to access any online account without
having the need of being added to the account's ACL.

signond and libsignon-qt already support connecting via a p2p D-Bus
backed by a unix socket ("$XDG_RUNTIME_DIR/signond/socket"), but it's
currently switched off at build time. We should enable it.

signon-apparmor-extension has to be changed so that a peer connected via
the p2p D-Bus connection will always be treated as "unconfined".

apparmor-easyprof-ubuntu has to be modified so that the "accounts"
policy will restrict access to "$XDG_RUNTIME_DIR/signond/socket" (which
is currently allowed, though unused), but without logging a failure.

** Affects: apparmor-easyprof-ubuntu (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: signon (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: signon-apparmor-extension (Ubuntu)
     Importance: Undecided
         Status: New

** Also affects: apparmor-easyprof-ubuntu (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: signon (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to signon in Ubuntu.
https://bugs.launchpad.net/bugs/1415492

Title:
  Create a trusted socket for privileged processes

Status in apparmor-easyprof-ubuntu package in Ubuntu:
  New
Status in signon package in Ubuntu:
  New
Status in signon-apparmor-extension package in Ubuntu:
  New

Bug description:
  We want to let privileged processes (such as those using the
  "unconfined" profile template) to access any online account without
  having the need of being added to the account's ACL.

  signond and libsignon-qt already support connecting via a p2p D-Bus
  backed by a unix socket ("$XDG_RUNTIME_DIR/signond/socket"), but it's
  currently switched off at build time. We should enable it.

  signon-apparmor-extension has to be changed so that a peer connected
  via the p2p D-Bus connection will always be treated as "unconfined".

  apparmor-easyprof-ubuntu has to be modified so that the "accounts"
  policy will restrict access to "$XDG_RUNTIME_DIR/signond/socket"
  (which is currently allowed, though unused), but without logging a
  failure.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor-easyprof-ubuntu/+bug/1415492/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next