← Back to team overview

touch-packages team mailing list archive

[Bug 1303962] Re: please integrate mediascanner2 and media-hub with apparmor

 

The new thumbnailer uses apparmor queries to determine whether the
caller is allowed to access the original file. If not, it denies access
to the thumbnail too.

** Changed in: thumbnailer
       Status: New => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1303962

Title:
  please integrate mediascanner2 and media-hub with apparmor

Status in Media Hub:
  Fix Committed
Status in Thumbnail generator for all kinds of files:
  Fix Committed
Status in apparmor-easyprof-ubuntu package in Ubuntu:
  Fix Released
Status in mediascanner2 package in Ubuntu:
  Fix Released

Bug description:
  media-hub and mediascanner are separate processes from apps and are
  used to play and scan music and video files respectively. Up until
  now, apps would have to use the music_files_read or video_files_read
  reserved policy groups to access media. The problem is, these policy
  groups are reserved and not available to normal AppStore apps in order
  to prevent information leaks (this user has this video installed) and
  theft (can access the music and video directly). The path forward is
  that media-hub and mediascanner are helpers that apps can use and they
  should integrate with the trust store.

  AppStore apps:
   1. should be able to access their own content (installed or local)
   2. should not be able to access, play or otherwise enumerate other apps' media (ie, app 'foo' should not be able to play the facebook app's sound file
   3. AppStore apps should be able to enumerate the global music (~/Music) and video (~/Video) library via the mediascanner helper with permission from the user
   4. AppStore apps should be able to play the global music (~/Music) and video (~/Video) library via the media-hub with permission from the user
   5. AppStore apps should be able to have access to media files with permission from the user. This is already handled by the content-hub paradigm (though someone would need to add a media content provider for the content-hub to have this work)

  Both media-hub and mediascanner should do something like the below
  pseudo code:

  # see 'man aa_getcon()' from libapparmor-dev for more info
  # conn_name is the unique D-Bus connection name of the application connecting
  # to media-hub/mediascanner
  apparmor_profile = org.freedesktop.DBus.GetConnectionAppArmorSecurityContext(conn_name)

  pkgname = apparmor_profile.split('_')[0]
  if apparmor_profile == unconfined: # unconfined apps can access all the files
      allow access
  elif playback_file in ~/.local/share/$pkgname/... or playback_file in ~/.cache/$pkgname/..: # apps can access their own files
      allow access
  elif $pkgname can access playback_file in trust store: # apps can access the files if user said so previously
      allow access
  elif playback_file in ~/Music:
      answer = prompt user for access to global music files
      if $answer == yes
          update trust store for $pkgname can enumerate/play ~/Music
          allow access
      else:
          deny access
  elif playback_file in ~/Videos:
      answer = prompt user for access to global video files
      if $answer == yes
          update trust store for $pkgname can enumerate/play ~/Videos
          allow access
      else:
          deny access
  else:
      deny access

  To have the best user experience and prevent multiple prompting,
  mediascanner and media-hub should use the same trust store database.
  I'm not sure that mediascanner2 offers a DBus API for enumerating
  global media files yet or not (music-app seems to be accessing files
  in ~/.cache/media-art/ and ~/.cache/mediascanner directly).

  UPDATE: 2014-05-02
  media-hub implemented '1' and '2' already (can access its own data, but not other apps' data) and was marked Fix Released. Trust store integration ('3' and '4') is now being tracked in bug #1315381.

  mediascanner2 still needs to implement '1' and '2'. The 'audio' and
  'video' policy groups will *not* add this access at this time.
  Instead, apps can use 'read_path' as part of their policy to have
  access to the mediascanner files. This is workable for the music app,
  but will block other apps from inclusion in the app store.

To manage notifications about this bug go to:
https://bugs.launchpad.net/media-hub/+bug/1303962/+subscriptions