ubuntu-appstore-developers team mailing list archive

[Jamie Strandboge <jamie@xxxxxxxxxxxxx>]

On 07/11/2013 01:16 PM, Jamie Strandboge wrote:
>> I think a better idea is do this for unconfined apps:
>>  {
>>    "name": "com.ubuntu.developer.username.myapp",
>>    "version": "0.1",
>>    "maintainer": "Your Name <your.name@xxxxxxxxxxx>",
>>    "title": "My Cool App",
>>    "framework": "ubuntu-sdk-13.10",
>>    "security": {
>>      "profiles": {
>>        "myapp.desktop": {
>>          "template": "unconfined"
>>        },
>>        "myapp-camera.desktop": {
>>          "template": "unconfined"
>>        }
>>      }
>>    }
>>  }
>>

Ok, I have modified the calculator and the terminal apps from
jenkins[1] to include the security manifest using the naming scheme and
json from the wiki[2]. These are located on people[3].

Just to give people something to work with, I did this in a total crazy
way:
 1. unpack the package with:
    dpkg-deb -R orig/com.ubuntu.ubuntu-calculator-app_0.1.3_all.click calc
 2. modify calc/DEBIAN/manifest to be:
  {
    "framework": "ubuntu-sdk-13.10", 
    "maintainer": "Ubuntu App Cats <ubuntu-touch-coreapps@xxxxxxxxxxxxxxxxxxx>", 
    "name": "com.ubuntu.ubuntu-calculator-app", 
    "title": "Calculator application", 
    "version": "0.1.3",
    "security": {
      "profiles": {
        "ubuntu-calculator-app.desktop": {
          "policy_groups": [],
          "policy_version": 1.0
        }
      }
    }
  }
 3. rebuild the package with:
    dpkg-deb -b --nocheck calc
 4. renamed calc.deb to the original:
    mv calc.deb new/com.ubuntu.ubuntu-calculator-app_0.1.3_all.click


The calculator app shows how to do standard application
confinement and the terminal app show how to use unconfined[2].

You can install the packages with:
$ click install --force-missing-framework com.ubuntu.ubuntu-calculator-app_0.1.3_all.click
$ click install --force-missing-framework com.ubuntu.ubuntu-terminal-app_0.5_all.click

Once the apparmor click package hook is implemented, installing the click
package will generate an apparmor profile, install it on the system and
then load it into the kernel. For now, I have included these profiles
alongside the click packages on people.canonical.com[3]. Note, the 
filename of the profile and the profile name in the profile use the
conventions described in this thread.

For testing, put these files in /etc/apparmor.d:
com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3
com.ubuntu.ubuntu-terminal-app_ubuntu-terminal-app.desktop_0.5

Then do:
$ sudo apparmor_parser -r /etc/apparmor.d/com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3
$ sudo apparmor_parser -r /etc/apparmor.d/com.ubuntu.ubuntu-terminal-app_ubuntu-terminal-app.desktop_0.5

See if they are in the kernel with:
$ sudo aa-status |grep ubuntu
   com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3
   com.ubuntu.ubuntu-terminal-app_ubuntu-terminal-app.desktop_0.5

Launch an application under confinement:
$ aa-exec -p com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3 -- qmlscene /opt/click.ubuntu.com/com.ubuntu.ubuntu-calculator-app/0.1.3/ubuntu-calculator-app.qml

See if it is confined:
$ sudo aa-status |grep ubuntu
   com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3
   com.ubuntu.ubuntu-terminal-app_ubuntu-terminal-app.desktop_0.5
   com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3 (7866)

(the last entry with the pid shows that pid 7866 is running under the
profile named 'com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3').

[1]https://jenkins.qa.ubuntu.com/search/?q=click
[2]https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement/Manifest#Click
[3]http://people.canonical.com/~jamie/click_with_security/


-- 
Jamie Strandboge                 http://www.ubuntu.com/

Attachment: signature.asc
Description: OpenPGP digital signature