ubuntu-phone team mailing list archive

[Jamie Strandboge <jamie@xxxxxxxxxxxxx>]

On 08/13/2013 08:33 AM, Michael Zanetti wrote:
> On Tuesday 13 August 2013 10:01:58 Sergio Schvezov wrote:
>> On Tue, Aug 13, 2013 at 9:33 AM, Michael Zanetti <
>>
>> michael.zanetti@xxxxxxxxxxxxx> wrote:
>>> Hi,
>>>
>>> I've just been watching this demo [1] on how to publish click packages.
>>> Looks
>>> very promising! However, one question that comes up here is at the
>>> uploading
>>> step (3:13 in the video):
>>>
>>> The website allows to upload a binary package and a source package.
>>> However, I
>>> can't see any connection between those two. How can I be sure that the
>>> binary
>>> click package indeed contains an unmodified version of the uploaded source
>>> package? From what I can see here I could easily publish some source code
>>> and
>>> then build a malicious package containing some additional bad code.
>>
>> You will be confined by apparmor here and very limited in the bad things
>> you can do.
> 
> I don't agree here. I'm not entirely sure how AppArmor works, but I assume it 
> would block access to, for instance, my address book. If I still want to use 
> that app there must be some place where I can grant permissions to an app to 
> access my address book. This is where I would like to know what the package 
> actually does with my address book and where I would need to rely on the fact 
> that the binary package is indeed an *unpatched* version of the uploaded 
> source package.
> 
Click packages will be confined by AppArmor[1] and there is a permissions model
where developers declare what the click package can do[2]. Apps are quite
confined by default by design and they are not allowed to access other app's
data, among other things. This is to prevent malicious apps from doing harm to
the system or obtaining the user's data. Application developers will need to
used published APIs to access things like locations, online accounts, the
addressbook, etc and these APIs will be supported in the click manifest. Access
to data like the address book will be limited and handled via an out of process
helper which may also help mediate the access (ie, provide a contextual runtime
prompt). That's the good news-- the bad news is that not all of these APIs are
implemented today, but they are being worked on. I'll let others comment on
their status.

More specifically to your question-- click packages and the app store will
support binary only uploads of packages. With this in mind, it isn't
particularly useful to have a build server from a security point of view because
a malicious app author would simply not upload the source to avoid detection. A
build could be useful for other reasons-- such as to make sure that the app is
built in a clean environment, etc, but I'll let others comment on that too.

[1]https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement
[2]https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement/Manifest#Click
-- 
Jamie Strandboge                 http://www.ubuntu.com/

Attachment: signature.asc
Description: OpenPGP digital signature