ubuntu-phone team mailing list archive
-
ubuntu-phone team
-
Mailing list archive
-
Message #06269
Re: Executing binaries from click packages, under confinement
On 02/03/2014 11:05 AM, Alberto Mardegan wrote:
> Hi all!
> One of the tasks I'm working on in Online Accounts is support for
> account plugins (those bits of code which are responsible to create/edit
> accounts for a specific provider, e.g. facebook) to be installed as
> click packages.
>
> For security reasons, the Online Accounts (from now on, "OA") service
> will need to execute the plugins in a separate process, confined with
> the proper AppArmor profile (dictated by the click package). Such a
> process will be able to create/modify only the account it was requested
> to work on, and not others; so, for example, the account plugin for
> Facebook should not be able to change any setting on the Google account,
> and vice versa.
>
> On the other hand, the account plugin will need to have its window
> reparented on top of the OA window, so that it will not appear as a
> separate entity (see also
> https://wiki.ubuntu.com/Security/TrustStoreAndSessions).
>
> I'm now facing the choice of how to implement all the above; my original
> idea was to execute the plugin with aa-exec-click, but before jumping on
> that solution I'd like to double check with a wider audience. I've been
> told that the content hub uses upstart-app-launch instead, so I wonder
> if I should use that instead (but that will only work if the plugins
> install a .desktop file, will it)?
>
So the question is how the trusted helper (online accounts) will launch the
plugin. You could use upstart-app-launch, but afiak it does need a desktop file
like you said. You can use aa-exec-click which will give you all the environment
and sandbox preparation that upstart-app-launch does. Alternatively, you can use
libapparmor's change_profile() after you fork but before you exec. This leaves
env setup up to you.
At this point, I think I would suggest just using aa-exec-click, but note by
doing so it will not be under application lifecycle since it is isn't running
under upstart. I'm not sure how much of a concern this is. It is conceivable app
authors could abuse this to start long running processes, so this is perhaps not
the best choice. Maybe upstart-app-launch should be adjusted to assist online
accounts? I'll let others comment on that.
--
Jamie Strandboge http://www.ubuntu.com/
Attachment:
signature.asc
Description: OpenPGP digital signature
Follow ups
References