ubuntu-phone team mailing list archive

[Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>]

On 2014-11-13 12:08 PM, Jamie Strandboge wrote:
> On 11/13/2014 08:25 AM, Marc Deslauriers wrote:
>> On 2014-11-12 11:58 AM, Jamie Strandboge wrote:
>>> Pulling into CC various stakeholders.
>>>
>>> On 11/12/2014 09:47 AM, Florian Boucault wrote:
> 
> ...
> 
>>>> The camera and the gallery app today are authorized to read/write in
>>>> /home/$USER/Pictures and /home/$USER/Videos.
>>>> Soon they will also need to be able to read/write in the similar directories of
>>>> the SD card, for example:
>>>> - /media/phablet/064a-7494/Pictures
>>>> - /media/phablet/064a-7494/Videos
> 
> ...
> 
>>> We can then do something similar for apps. Eg, the predictable hierarchy for
>>> apps might be:
>>>   /media/$USER/$SDCARD_ID/.cache/$APP_PKGNAME
>>>   /media/$USER/$SDCARD_ID/.config/$APP_PKGNAME
>>>   /media/$USER/$SDCARD_ID/.local/share/$APP_PKGNAME
>>>
>>> such that the AppArmor templates add:
>>>   owner /media/*/*/.cache/@{APP_PKGNAME}/         rw,
>>>   owner /media/*/*/.cache/@{APP_PKGNAME}/**       mrwkl,
>>>   owner /media/*/*/.config/@{APP_PKGNAME}/        rw,
>>>   owner /media/*/*/.config/@{APP_PKGNAME}/**      mrwkl,
>>>   owner /media/*/*/.local/share/@{APP_PKGNAME}/   rw,
>>>   owner /media/*/*/.local/share/@{APP_PKGNAME}/** mrwklix,
>>
>> This is problematic. As you mention later on, sdcards mostly use vfat, which
>> means file names are case insensitive. This opens up a lot of issues when trying
>> to confine apps to specific directories, and also creates issues with data loss
>> if the system isn't designed to cope well.
>>
>> If we want app-specific directories on the sdcard, we will likely have to
>> require the card be formatted with a better filesystem, or we should punt on
>> this for now.
>>
> 
> Ah yes, I forgot about the case-insensitive names. I also agree this is
> problematic. With the global directories, we should therefore do:
> 
> # SD card: /media/<user>/<label>/...
> owner /media/*/*/[Pp][Ii][Cc][Tt][Uu][Rr][Ee][Ss]/   r,
> owner /media/*/*/[Pp][Ii][Cc][Tt][Uu][Rr][Ee][Ss]/** rwk,
> 
> That is easy enough.

We don't really need to do that, apps simply need to access the directory using
"Pictures" and not any other combination of case.

> 
> 
> Apps are hard though-- click-apparmor could be adjusted to instead of:
> @{APP_APPNAME}="bar"
> @{APP_PKGNAME}="com.ubuntu.developer.user.foo"
> 
> do:
> @{APP_APPNAME}="[Bb][Aa][Rr]"
> @{APP_PKGNAME}="[Cc][Oo][Mm].[Uu][Bb][Uu][Nn][Tt][Uu].[Dd][Ee][Vv][Ee][Ll][Oo][Pp][Ee][Rr].[Uu][Ss][Ee][Rr].[Ff][Oo][Oo]"
> 
> but yikes, I don't like that; plus I agree with your other points about what
> happens when the card is pulled out. App-specific directories needs more thought
> and planning.
> 

Doing that doesn't eliminate the possibility of developers deliberately
registering apps with the same name, but with different case combinations,
either to steal an other app's data, or to share data amongst two apps from the
same developer.

We would need to enforce case-insensitive uniqueness checks all over the place
to prevent that sort of thing, and I think it's likely to be more trouble than
it's worth for now.

Marc.