ubuntu-phone team mailing list archive

Thread
Date

Re: Device-Specific configs in debs

To: Chris Wayne <chris.wayne@xxxxxxxxxxxxx>, Ubuntu Touch <ubuntu-phone@xxxxxxxxxxxxxxxxxxx>, Seth Forshee <seth.forshee@xxxxxxxxxxxxx>, Michael Frey <michael.frey@xxxxxxxxxxxxx>, Steve Langasek <steve.langasek@xxxxxxxxxxxxx>
From: Jamie Strandboge <jamie@xxxxxxxxxxxxx>
Date: Tue, 14 Jan 2014 16:21:22 -0600
In-reply-to: <CACnZSU9onRS+A=7cWeqjKXnZnPG_Jhxczie_r+N+d1GRviHMfg@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0

On 01/14/2014 03:11 PM, Chris Wayne wrote:
> Hi Guys,
> 
> So after looking at customizing powerd, I noticed several areas where we have
> device-specific config files living inside deb packages.  As our idea of
> customization has always been "one rootfs image for all devices", this seems a
> bit problematic.  Just from a quick glance, I found the following
> device-specific bits in the image (just a simple find / -name *maguro*):
> 
...

> /usr/share/apparmor/hardware/graphics.d/apparmor-easyprof-ubuntu_maguro
> /usr/share/apparmor/hardware/video.d/apparmor-easyprof-ubuntu_maguro

FYI, apparmor-easyprof-ubuntu is currently shipping these itself, but that is
temporary and are intended to be moved to lxc-android-config as per:

https://lists.ubuntu.com/archives/ubuntu-devel/2013-September/037654.html
https://bugs.launchpad.net/ubuntu/+source/lxc-android-config/+bug/1197133

...

> While this works for now with our limited set of supported devices, it can
> quickly become untenable once we start building images for OEMs in the future,
> or if we get an influx of community builds.
> 
I figured that a necessary part of building up the port was building up the udev
rules and apparmor accesses. OEMs/community builds would either fork
lxc-android-config or work within the existing hierarchies to ship files in the
appropriate directories. Both are shipped as debs and depart from the "one
rootfs image for all devices" goal of course.

> I propose that we try and tackle this before it becomes a problem.  Do we have a
> plan for this already? 
> 
> If we don't have a plan quite yet, as a first step, I propose that we patch
> powerd and apparmor to look in XDG_DATA_DIRS instead of just /usr/share/ for its
> configs.  If we do this, we can drop any needed configs into a custom tarball
> (which includes /custom/xdg/data, which is included in XDG_DATA_DIRS), and
> therefore keep the rootfs as device-agnostic as possible.  Does this seem
> reasonable?
> 
Even if it could be done easily (which it can't), we won't patch apparmor to
honor an environment variable like this. It could potentially allow apparmor to
read user controlled files which could then be used to break out of confinement.
What is easy and fine with me once we define where they should live is to add
the #include directory for something in /custom/xdg/data (this directory could
be adjusted via an apparmor tunable of course, if we wanted to go that route).

-- 
Jamie Strandboge                 http://www.ubuntu.com/

Attachment: signature.asc
Description: OpenPGP digital signature

Follow ups

Re: Device-Specific configs in debs
From: Alex Chiang, 2014-01-14

References

Device-Specific configs in debs
From: Chris Wayne, 2014-01-14