ubuntu-phone team mailing list archive

Thread
Date

Re: Current status of policykit on Ubuntu Touch

To: ubuntu-phone@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxxxxx>
Date: Thu, 12 Sep 2013 16:56:09 -0500
In-reply-to: <5232108A.1020104@canonical.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130803 Thunderbird/17.0.8

On 09/12/2013 02:05 PM, Jamie Strandboge wrote:
> 
> Hi,
> 
> My team was asked to look into the security ramifications of the current
> policykit situation on Ubuntu Touch. As it stands now: policykit's
> allow_active/allow_inactive doesn't work because it can't find the active seat.
> To find the active seat, logind needs to be present and for logind to be present
> on touch, lightdm needs to land.
> 
> Policykit enabled services that use allow_active/allow_inactive in their policy
> will find that the access is denied on touch (unless allow_any is used). This
> affected network-manager on Ubuntu Touch, so overrides are now shipped for
> network-manager policy (via lxc-android-config). The overrides use
> allow_any=true so the phablet user can manipulate network interfaces/etc.
> Policykit overrides are only shipped for network-manager and are acceptable for
> single-seat installations where it is assumed that the Ubuntu Touch user is the
> active user. 13.10 will not support multi-user and things like ssh are disabled
> by default.
> 
> In terms of click packages, an app's access to DBus is quite limited and it is
> not currently allowed to talk to anything that uses policykit (ie, including
> network-manager).
> 
> While we of course would prefer allow_active/allow_inactive to work as intended,
> considering policykit's default deny behavior, the phone being single seat,
> allow_any overrides being limited to only network-manager, the overrides being
> acceptable in the single seat scenario, and because click packages can't connect
> to policykit-protected services to begin with, we don't feel the security
> concerns are blockers for Ubuntu Touch 13.10 release.
> 

Oliver reminded me of another scenario. PackageKit uses policy kit and pkcon is
used to install click packages. Currently it is my understanding that the
policykit checks are disabled right now. For the the same reasons as for
network-manager, I feel this is 'ok' for the single seat touch install. Yes, we
would prefer to have this fixed, but I don't consider it a blocker provided
click is adjusted to reenable the checks, but overridden via lxc-android-config
to use allow_any=true like we do with network-manager. While click isn't
supported on desktop systems, we should still only use allow_any=true where
policykit isn't working.

-- 
Jamie Strandboge                 http://www.ubuntu.com/

References

Current status of policykit on Ubuntu Touch
From: Jamie Strandboge, 2013-09-12