ubuntu-phone team mailing list archive

[Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>]

On 2014-11-13 02:08 PM, Jamie Strandboge wrote:
> On 11/13/2014 12:32 PM, Marc Deslauriers wrote:
>> On 2014-11-13 12:08 PM, Jamie Strandboge wrote:
>>> On 11/13/2014 08:25 AM, Marc Deslauriers wrote:
>>>> On 2014-11-12 11:58 AM, Jamie Strandboge wrote:
>>>>> Pulling into CC various stakeholders.
>>>>>
>>>>> On 11/12/2014 09:47 AM, Florian Boucault wrote:
>>>
>>> ...
>>>
>>>>>> The camera and the gallery app today are authorized to read/write in
>>>>>> /home/$USER/Pictures and /home/$USER/Videos.
>>>>>> Soon they will also need to be able to read/write in the similar directories of
>>>>>> the SD card, for example:
>>>>>> - /media/phablet/064a-7494/Pictures
>>>>>> - /media/phablet/064a-7494/Videos
>>>
>>> ...
>>>
>>>>> We can then do something similar for apps. Eg, the predictable hierarchy for
>>>>> apps might be:
>>>>>   /media/$USER/$SDCARD_ID/.cache/$APP_PKGNAME
>>>>>   /media/$USER/$SDCARD_ID/.config/$APP_PKGNAME
>>>>>   /media/$USER/$SDCARD_ID/.local/share/$APP_PKGNAME
>>>>>
>>>>> such that the AppArmor templates add:
>>>>>   owner /media/*/*/.cache/@{APP_PKGNAME}/         rw,
>>>>>   owner /media/*/*/.cache/@{APP_PKGNAME}/**       mrwkl,
>>>>>   owner /media/*/*/.config/@{APP_PKGNAME}/        rw,
>>>>>   owner /media/*/*/.config/@{APP_PKGNAME}/**      mrwkl,
>>>>>   owner /media/*/*/.local/share/@{APP_PKGNAME}/   rw,
>>>>>   owner /media/*/*/.local/share/@{APP_PKGNAME}/** mrwklix,
>>>>
>>>> This is problematic. As you mention later on, sdcards mostly use vfat, which
>>>> means file names are case insensitive. This opens up a lot of issues when trying
>>>> to confine apps to specific directories, and also creates issues with data loss
>>>> if the system isn't designed to cope well.
>>>>
>>>> If we want app-specific directories on the sdcard, we will likely have to
>>>> require the card be formatted with a better filesystem, or we should punt on
>>>> this for now.
>>>>
>>>
>>> Ah yes, I forgot about the case-insensitive names. I also agree this is
>>> problematic. With the global directories, we should therefore do:
>>>
>>> # SD card: /media/<user>/<label>/...
>>> owner /media/*/*/[Pp][Ii][Cc][Tt][Uu][Rr][Ee][Ss]/   r,
>>> owner /media/*/*/[Pp][Ii][Cc][Tt][Uu][Rr][Ee][Ss]/** rwk,
>>>
>>> That is easy enough.
>>
>> We don't really need to do that, apps simply need to access the directory using
>> "Pictures" and not any other combination of case.
>>
>>>
>>>
>>> Apps are hard though-- click-apparmor could be adjusted to instead of:
>>> @{APP_APPNAME}="bar"
>>> @{APP_PKGNAME}="com.ubuntu.developer.user.foo"
>>>
>>> do:
>>> @{APP_APPNAME}="[Bb][Aa][Rr]"
>>> @{APP_PKGNAME}="[Cc][Oo][Mm].[Uu][Bb][Uu][Nn][Tt][Uu].[Dd][Ee][Vv][Ee][Ll][Oo][Pp][Ee][Rr].[Uu][Ss][Ee][Rr].[Ff][Oo][Oo]"
>>>
>>> but yikes, I don't like that; plus I agree with your other points about what
>>> happens when the card is pulled out. App-specific directories needs more thought
>>> and planning.
>>>
>>
>> Doing that doesn't eliminate the possibility of developers deliberately
>> registering apps with the same name, but with different case combinations,
>> either to steal an other app's data, or to share data amongst two apps from the
>> same developer.
>>
>> We would need to enforce case-insensitive uniqueness checks all over the place
>> to prevent that sort of thing, and I think it's likely to be more trouble than
>> it's worth for now.
>>
> 
> Do note, I didn't really like the above. That said, the AppStore could enforce
> this quite easily if it isn't already.
> 

Oh, the other thing I forgot is fat filesystems transparently support short
filenames too, so longfilename.txt may also be accessible as longfi~1.txt. I'd
have to think about the impact this may have with file path based permissions.

Marc.