ubuntu-appstore-developers team mailing list archive

[David Planella <david.planella@xxxxxxxxxx>]

On Thu, Jul 11, 2013 at 10:26 PM, Alejandro J. Cura <
alejandro.cura@xxxxxxxxxxxxx> wrote:

> On Thu, Jul 11, 2013 at 4:42 PM, Jamie Strandboge <jamie@xxxxxxxxxxxxx>
> wrote:
> > Ok, I have modified the calculator and the terminal apps from
> > jenkins[1] to include the security manifest using the naming scheme and
> > json from the wiki[2]. These are located on people[3].
> >
> > Just to give people something to work with, I did this in a total crazy
> > way:
> >  1. unpack the package with:
> >     dpkg-deb -R orig/com.ubuntu.ubuntu-calculator-app_0.1.3_all.click
> calc
> >  2. modify calc/DEBIAN/manifest to be:
> >   {
> >     "framework": "ubuntu-sdk-13.10",
> >     "maintainer": "Ubuntu App Cats <
> ubuntu-touch-coreapps@xxxxxxxxxxxxxxxxxxx>",
> >     "name": "com.ubuntu.ubuntu-calculator-app",
> >     "title": "Calculator application",
> >     "version": "0.1.3",
> >     "security": {
> >       "profiles": {
> >         "ubuntu-calculator-app.desktop": {
> >           "policy_groups": [],
> >           "policy_version": 1.0
> >         }
> >       }
> >     }
> >   }
> >  3. rebuild the package with:
> >     dpkg-deb -b --nocheck calc
> >  4. renamed calc.deb to the original:
> >     mv calc.deb new/com.ubuntu.ubuntu-calculator-app_0.1.3_all.click
> >
> >
> > The calculator app shows how to do standard application
> > confinement and the terminal app show how to use unconfined[2].
> >
> > You can install the packages with:
> > $ click install --force-missing-framework
> com.ubuntu.ubuntu-calculator-app_0.1.3_all.click
> > $ click install --force-missing-framework
> com.ubuntu.ubuntu-terminal-app_0.5_all.click
> >
> > Once the apparmor click package hook is implemented, installing the click
> > package will generate an apparmor profile, install it on the system and
> > then load it into the kernel. For now, I have included these profiles
> > alongside the click packages on people.canonical.com[3]. Note, the
> > filename of the profile and the profile name in the profile use the
> > conventions described in this thread.
> >
> > For testing, put these files in /etc/apparmor.d:
> > com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3
> > com.ubuntu.ubuntu-terminal-app_ubuntu-terminal-app.desktop_0.5
> >
> > Then do:
> > $ sudo apparmor_parser -r
> /etc/apparmor.d/com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3
> > $ sudo apparmor_parser -r
> /etc/apparmor.d/com.ubuntu.ubuntu-terminal-app_ubuntu-terminal-app.desktop_0.5
> >
> > See if they are in the kernel with:
> > $ sudo aa-status |grep ubuntu
> >    com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3
> >    com.ubuntu.ubuntu-terminal-app_ubuntu-terminal-app.desktop_0.5
> >
> > Launch an application under confinement:
> > $ aa-exec -p
> com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3 --
> qmlscene /opt/
> click.ubuntu.com/com.ubuntu.ubuntu-calculator-app/0.1.3/ubuntu-calculator-app.qml
> >
> > See if it is confined:
> > $ sudo aa-status |grep ubuntu
> >    com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3
> >    com.ubuntu.ubuntu-terminal-app_ubuntu-terminal-app.desktop_0.5
> >    com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3
> (7866)
> >
> > (the last entry with the pid shows that pid 7866 is running under the
> > profile named
> 'com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3').
> >
> > [1]https://jenkins.qa.ubuntu.com/search/?q=click
> > [2]
> https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement/Manifest#Click
> > [3]http://people.canonical.com/~jamie/click_with_security/
>
> The above instructions are very useful to understand how this works,
> thanks a lot!
> I managed to run the calculator both confined and not (with the
> terminal profile) on my saucy desktop.
> But not the terminal, since there's no
> qtdeclarative5-konsole-qml-plugin yet for amd64.
>
>
Hi Alejandro,

It's not in the archive, but if it helps the amd64 package is in the core
apps daily PPA. I've been using it to test the terminal app from my
ddesktop, and it seems to work well.

https://launchpad.net/~ubuntu-touch-coreapps-drivers/+archive/daily/+packages?field.name_filter=&field.status_filter=published&field.series_filter=saucy

Cheers,
David.

I've hit a small problem, though: only when running confined, qmlscene
> displays a working but corrupted calculator for a few seconds
> (screenshot attached), and ends up segfaulting itself and crashing the
> X server on its way out. I attribute this to the fglrx video drivers,
> and it looks like it from the kernel logs:
>
> [115242.654027] type=1400 audit(1373573470.414:110): apparmor="DENIED"
> operation="file_mmap" parent=3273
>
> profile="com.ubuntu.ubuntu-calculator-app_ubuntu-calculator-app.desktop_0.1.3"
> name="/usr/lib/fglrx/dri/fglrx_dri.so" pid=4156 comm="qmlscene"
> requested_mask="m" denied_mask="m" fsuid=1000 ouid=0
> [115246.296234] qmlscene[4156]: segfault at 7f7647105d38 ip
> 00007f766d625508 sp 00007fff09dc33f0 error 4 in
> libQt5Gui.so.5.0.2[7f766d50f000+3b4000]
>
> where should I report this?
>
> thanks!
> --
> alecu
>
> --
> Mailing list: https://launchpad.net/~ubuntu-appstore-developers
> Post to     : ubuntu-appstore-developers@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers
> More help   : https://help.launchpad.net/ListHelp
>
>