ubuntu-phone team mailing list archive

Thread
Date

Re: Executing binaries from click packages, under confinement

To: ubuntu-phone@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxxxxx>
Date: Mon, 03 Feb 2014 11:44:49 -0500
In-reply-to: <52EFBE4D.1000800@canonical.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0

On 02/03/2014 11:05 AM, Alberto Mardegan wrote:
> Hi all!
>   One of the tasks I'm working on in Online Accounts is support for
> account plugins (those bits of code which are responsible to create/edit
> accounts for a specific provider, e.g. facebook) to be installed as
> click packages.
> 
> For security reasons, the Online Accounts (from now on, "OA") service
> will need to execute the plugins in a separate process, confined with
> the proper AppArmor profile (dictated by the click package). Such a
> process will be able to create/modify only the account it was requested
> to work on, and not others; so, for example, the account plugin for
> Facebook should not be able to change any setting on the Google account,
> and vice versa.
> 
> On the other hand, the account plugin will need to have its window
> reparented on top of the OA window, so that it will not appear as a
> separate entity (see also
> https://wiki.ubuntu.com/Security/TrustStoreAndSessions).
> 
> I'm now facing the choice of how to implement all the above; my original
> idea was to execute the plugin with aa-exec-click, but before jumping on
> that solution I'd like to double check with a wider audience. I've been
> told that the content hub uses upstart-app-launch instead, so I wonder
> if I should use that instead (but that will only work if the plugins
> install a .desktop file, will it)?
> 
So the question is how the trusted helper (online accounts) will launch the
plugin. You could use upstart-app-launch, but afiak it does need a desktop file
like you said. You can use aa-exec-click which will give you all the environment
and sandbox preparation that upstart-app-launch does. Alternatively, you can use
libapparmor's change_profile() after you fork but before you exec. This leaves
env setup up to you.

At this point, I think I would suggest just using aa-exec-click, but note by
doing so it will not be under application lifecycle since it is isn't running
under upstart. I'm not sure how much of a concern this is. It is conceivable app
authors could abuse this to start long running processes, so this is perhaps not
the best choice. Maybe upstart-app-launch should be adjusted to assist online
accounts? I'll let others comment on that.


-- 
Jamie Strandboge                 http://www.ubuntu.com/

Attachment: signature.asc
Description: OpenPGP digital signature

Follow ups

Re: Executing binaries from click packages, under confinement
From: Michał Sawicz, 2014-02-03

References

Executing binaries from click packages, under confinement
From: Alberto Mardegan, 2014-02-03