ubuntu-appstore-developers team mailing list archive

Thread
Date

Re: Summary of my understandings

To: Jamie Strandboge <jamie@xxxxxxxxxxxxx>
From: "Alejandro J. Cura" <alejandro.cura@xxxxxxxxxxxxx>
Date: Thu, 11 Jul 2013 17:26:56 -0300
Cc: Ubuntu Appstore Developers <ubuntu-appstore-developers@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <51DF0AB2.4020603@canonical.com>

On Thu, Jul 11, 2013 at 4:42 PM, Jamie Strandboge <jamie@xxxxxxxxxxxxx> wrote:
> Ok, I have modified the calculator and the terminal apps from
> jenkins[1] to include the security manifest using the naming scheme and
> json from the wiki[2]. These are located on people[3].
>
> Just to give people something to work with, I did this in a total crazy
> way:
>  1. unpack the package with:
>     dpkg-deb -R orig/com.ubuntu.ubuntu-calculator-app_0.1.3_all.click calc
>  2. modify calc/DEBIAN/manifest to be:
>   {
>     "framework": "ubuntu-sdk-13.10",
>     "maintainer": "Ubuntu App Cats <ubuntu-touch-coreapps@xxxxxxxxxxxxxxxxxxx>",
>     "name": "com.ubuntu.ubuntu-calculator-app",
>     "title": "Calculator application",
>     "version": "0.1.3",
>     "security": {
>       "profiles": {
>         "ubuntu-calculator-app.desktop": {
>           "policy_groups": [],
>           "policy_version": 1.0
>         }
>       }
>     }
>   }
>  3. rebuild the package with:
>     dpkg-deb -b --nocheck calc
>  4. renamed calc.deb to the original:
>     mv calc.deb new/com.ubuntu.ubuntu-calculator-app_0.1.3_all.click
>
>
> The calculator app shows how to do standard application
> confinement and the terminal app show how to use unconfined[2].
>
> You can install the packages with:
> $ click install --force-missing-framework com.ubuntu.ubuntu-calculator-app_0.1.3_all.click
> $ click install --force-missing-framework com.ubuntu.ubuntu-terminal-app_0.5_all.click
>
> Once the apparmor click package hook is implemented, installing the click
> package will generate an apparmor profile, install it on the system and
> then load it into the kernel. For now, I have included these profiles
> alongside the click packages on people.canonical.com[3]. Note, the
> filename of the profile and the profile name in the profile use the
> conventions described in this thread.
>
> For testing, put these files in /etc/apparmor.d:
> com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3
> com.ubuntu.ubuntu-terminal-app_ubuntu-terminal-app.desktop_0.5
>
> Then do:
> $ sudo apparmor_parser -r /etc/apparmor.d/com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3
> $ sudo apparmor_parser -r /etc/apparmor.d/com.ubuntu.ubuntu-terminal-app_ubuntu-terminal-app.desktop_0.5
>
> See if they are in the kernel with:
> $ sudo aa-status |grep ubuntu
>    com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3
>    com.ubuntu.ubuntu-terminal-app_ubuntu-terminal-app.desktop_0.5
>
> Launch an application under confinement:
> $ aa-exec -p com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3 -- qmlscene /opt/click.ubuntu.com/com.ubuntu.ubuntu-calculator-app/0.1.3/ubuntu-calculator-app.qml
>
> See if it is confined:
> $ sudo aa-status |grep ubuntu
>    com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3
>    com.ubuntu.ubuntu-terminal-app_ubuntu-terminal-app.desktop_0.5
>    com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3 (7866)
>
> (the last entry with the pid shows that pid 7866 is running under the
> profile named 'com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3').
>
> [1]https://jenkins.qa.ubuntu.com/search/?q=click
> [2]https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement/Manifest#Click
> [3]http://people.canonical.com/~jamie/click_with_security/

The above instructions are very useful to understand how this works,
thanks a lot!
I managed to run the calculator both confined and not (with the
terminal profile) on my saucy desktop.
But not the terminal, since there's no
qtdeclarative5-konsole-qml-plugin yet for amd64.

I've hit a small problem, though: only when running confined, qmlscene
displays a working but corrupted calculator for a few seconds
(screenshot attached), and ends up segfaulting itself and crashing the
X server on its way out. I attribute this to the fglrx video drivers,
and it looks like it from the kernel logs:

[115242.654027] type=1400 audit(1373573470.414:110): apparmor="DENIED"
operation="file_mmap" parent=3273
profile="com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3"
name="/usr/lib/fglrx/dri/fglrx_dri.so" pid=4156 comm="qmlscene"
requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
[115246.296234] qmlscene[4156]: segfault at 7f7647105d38 ip
00007f766d625508 sp 00007fff09dc33f0 error 4 in
libQt5Gui.so.5.0.2[7f766d50f000+3b4000]

where should I report this?

thanks!
--
alecu

Attachment: broken-qmlscene.png
Description: PNG image

Follow ups

Re: Summary of my understandings
From: David Planella, 2013-07-12
Re: Summary of my understandings
From: Jamie Strandboge, 2013-07-11

References

Summary of my understandings
From: Ted Gould, 2013-07-11
Re: Summary of my understandings
From: Colin Watson, 2013-07-11
Re: Summary of my understandings
From: Jamie Strandboge, 2013-07-11
Re: Summary of my understandings
From: Jamie Strandboge, 2013-07-11
Re: Summary of my understandings
From: Jamie Strandboge, 2013-07-11