touch-packages team mailing list archive

Thread
Date

[Bug 1219644] Re: Account plugins should be made confinable by apparmor

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Alberto Mardegan <1219644@xxxxxxxxxxxxxxxxxx>
Date: Wed, 03 Dec 2014 15:15:38 -0000
Reply-to: Bug 1219644 <1219644@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

The attached branch is a WIP with the changes on the Online Accounts
part.

I added the apparmor-easyprof-ubuntu project to the bug because I think
we'll need some changes there:

- There should be a way to specify an apparmor policy file for an
account plugin, in the manifest file. This policy will typically contain
the "accounts" policy, and then often also the "networking" and
"webview" policies; but I'd rather let the developer explicitly declare
all of the needed policies.

- The account plugin should have access to a unix socket: /run/user/<user-id>/online-accounts-ui/ui-<random-number>
  This is probably not really necessary with the current WIP code, since we call aa_change_profile() after connecting to that socket; we'll understand this better when we can test the whole thing.

- The account plugin should be able to send method calls on this D-Bus service (on the session bus):
  service=com.google.code.AccountsSSO.Accounts.Manager
  path=/com/google/code/AccountsSSO/Accounts/Manager
  interface=com.google.code.AccountsSSO.Accounts.Manager
  (the service then will itself check the apparmor label of the peer and decide whether to process the request or not)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1219644

Title:
  Account plugins should be made confinable by apparmor

Status in Online Accounts setup for Ubuntu Touch:
  In Progress
Status in apparmor-easyprof-ubuntu package in Ubuntu:
  New

Bug description:
  With the current implementation, the QML files for account plugins are
  executed by the Online Accounts QML applet which in turn is executed
  within the System Settings process, which probably means that
  malicious account plugins could control everything that the System
  Settings process can (like entering/exiting the flight mode).

  Account plugins (or the Online Accounts applet itself) should probably
  be run in a separate process, which could then be assigned a stricter
  confinement with apparmor.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-system-settings-online-accounts/+bug/1219644/+subscriptions