touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #00388
[Bug 1327426] Re: scopes runner should set various confinement variables
** Changed in: unity-scopes-api
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unity-scopes-api in
Ubuntu.
https://bugs.launchpad.net/bugs/1327426
Title:
scopes runner should set various confinement variables
Status in API for Unity scopes integration:
In Progress
Status in “unity-scopes-api” package in Ubuntu:
New
Bug description:
Click apps started with ubuntu-app-launch (or via aa-exec-click via legacy desktop files) have a number of environment variables set. Eg, for a test app of mine with APP_ID of 'com.ubuntu.developer.jdstrand.click-env_click-env_0.1', the following are set by ubuntu-app-launch:
APP_ID=com.ubuntu.developer.jdstrand.click-env_click-env_0.1
__GL_SHADER_DISK_CACHE_PATH=/home/phablet/.cache/com.ubuntu.developer.jdstrand.click-env
LD_LIBRARY_PATH=/opt/click.ubuntu.com/.click/users/phablet/com.ubuntu.developer.jdstrand.click-env/lib/arm-linux-gnueabihf:/opt/click.ubuntu.com/.click/users/phablet/com.ubuntu.developer.jdstrand.click-env/lib
PATH=/opt/click.ubuntu.com/.click/users/phablet/com.ubuntu.developer.jdstrand.click-env/lib/arm-linux-gnueabihf/bin:/opt/click.ubuntu.com/.click/users/phablet/com.ubuntu.developer.jdstrand.click-env:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
QML2_IMPORT_PATH=/opt/click.ubuntu.com/.click/users/phablet/com.ubuntu.developer.jdstrand.click-env/lib/arm-linux-gnueabihf
TMPDIR=/run/user/32011/confined/com.ubuntu.developer.jdstrand.click-env
UBUNTU_APPLICATION_ISOLATION=1
XDG_CACHE_HOME=/home/phablet/.cache
XDG_CONFIG_HOME=/home/phablet/.config
XDG_DATA_DIRS=/opt/click.ubuntu.com/.click/users/phablet/com.ubuntu.developer.jdstrand.click-env:/usr/share
XDG_DATA_HOME=/home/phablet/.local/share
XDG_RUNTIME_DIR=/run/user/32011
For scopes, we should probably do the same thing. I suggest the following:
APP_ID=<apparmor profile name>
LD_LIBRARY_PATH=<click install directory>/lib/$multiarch:<click install directory>/lib
PATH=<click install directory>/lib/$multiarch/bin:<click install directory>:$PATH
UBUNTU_APPLICATION_ISOLATION=1
XDG_DATA_DIRS=<click install directory>:/usr/share
XDG_DATA_HOME=$HOME/.local/share
XDG_RUNTIME_DIR=/run/user/$UID
APP_ID may not strictly be needed since these are scopes and not
subject to application lifecycle, etc, but if it is provided
developers will have a consistent environment when developing apps and
scopes and it might make it easier for them to programmatically
determine the location of certain directories, specifically their
scope-specific writable area. Eg:
my_pkgname = $APP_ID.split('_')[0]
my_writable_dir = $XDG_DATA_HOME/unity-scopes/leaf-net/$my_pkgname
You could also just provide an API to determine these directories (as
was discussed at the sprint).
TMPDIR is not listed above, but probably should be since apparmor policy does not allow access to /tmp. If you want to provide that, I suggest:
TMPDIR=/run/user/$UID/confined-scopes/leaf-net/<'name' from click manifest>
Note, 'leaf-net' is used for the same reason here as it is in
{HOME}/.local/share/unity-scopes/leaf-net/@{APP_PKGNAME}/ in the
policy: to prevent other scope types from having overlapped writable
directories which could lead to information disclosure (see bug
1326105 for a description of the attack). 'leaf-net' should be used
with scopes that use the ubuntu-scope-network apparmor template and
'leafs-fs' for scopes that use the (currently unavailable) ubuntu-
scope-local-content apparmor template.
To manage notifications about this bug go to:
https://bugs.launchpad.net/unity-scopes-api/+bug/1327426/+subscriptions
