ubuntu-phone team mailing list archive

Thread
Date

Re: Executing binaries from click packages, under confinement

To: ubuntu-phone@xxxxxxxxxxxxxxxxxxx
From: Alberto Mardegan <alberto.mardegan@xxxxxxxxxxxxx>
Date: Tue, 04 Feb 2014 16:50:29 +0200
In-reply-to: <1391523199.2970.11.camel@roku>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ted,

On 02/04/2014 04:13 PM, Ted Gould wrote:
> On Tue, 2014-02-04 at 10:05 +0200, Alberto Mardegan wrote:
>> I had a quick look at the untrusted helper branch, but I
>> couldn't understand if it's suitable for my case:
>> 
>> " * Start an untrusted helper for a specific @type on a given *
>> @appid.  We don't know how that is done specifically, as Upstart 
>> * will call a helper for that type.  And then execute it under
>> the * Apparmor profile for that helper type."
>> 
>> What is "type" in this context?
> 
> Type is a string for something defined by you.  This way we can
> keep the infographics away from the account service helpers.  So
> I'd guess for you it'd be something like "account-service-plugin"
> or some such.  It doesn't matter really as long as you use the same
> type for all the functions (and unique, don't use
> "content-hub-picker" ☺).

OK, so it could be "online-account-plugin" in our case. Then you
confirmed that these helpers will be run under their own AppArmor
profile (which is indeed what I needed), but that seems to contradict
the docstring I quoted above and which made me suspicious: "And then
execute it under the Apparmor profile for that helper type".
I assume that the documentation string is wrong, and that it should
read "...under the Apparmor profile for that helper".

> You probably want upstart_app_launch_start_multiple_helper() which 
> returns an instance handle.  That allows you to track multiple
> instances of the same App ID.  This is also a requirement for
> Content Hub.

I'll try to use that, this makes a lot more sense now. Thanks!
I assume that I can use the "uris" parameter to pass parameters to the
untrusted helper (for example, a UNIX socket to connect to)?

Ciao,
  Alberto

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlLw/jUACgkQVLQegMXeCFJPPwCfcezWb2JVatw0mKZGFJwA3nM6
H+sAnjfFgTM1Fl4iKm2ZfNi57QpBhMnT
=pRSw
-----END PGP SIGNATURE-----

Follow ups

Re: Executing binaries from click packages, under confinement
From: Ted Gould, 2014-02-05

References

Executing binaries from click packages, under confinement
From: Alberto Mardegan, 2014-02-03
Re: Executing binaries from click packages, under confinement
From: Ted Gould, 2014-02-03
Re: Executing binaries from click packages, under confinement
From: Alberto Mardegan, 2014-02-04
Re: Executing binaries from click packages, under confinement
From: Ted Gould, 2014-02-04