ubuntu-phone team mailing list archive

Thread
Date

Re: mapplauncher

To: ubuntu-phone@xxxxxxxxxxxxxxxxxxx
From: Ted Gould <ted@xxxxxxxxxx>
Date: Wed, 29 Jul 2015 09:26:03 -0500
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwCAIAAADYYG7QAAAAA3NCSVQICAjb4U/gAAAQqElEQVRYw5VYaZBcV3U+59779t6XmWlpRjMaeUarLdkWVlBYbAwCmyKxK9gVQjDgBJOqJJgUUEkqrgqhKiyhSDkmVYYEsCoBnARSxIBtJY4TFhtLMpa1WLs0izRr9/Teb3/3nvxoYSyZaDnVv7pP9fneWb7vnIfJ0q2NVlwq6AiXMyKYWwzvf+C44WW+/PnPaJxHvguIXDeFaQIAKWCcE6mw3QjdDsUxqMROZZRM4jDsNWpeFJ9dqP7Ft/ZEQWAJhgDvekfhK49uwIsDM8bg0cfmu73ksnjg9JT37vceOnbc/6Pfuw9lHIcBco3rppHK6HbacDJWtmCkskYq6wwOZ1atTVXWMKGHXk8ppZQERKHi8YLzjo0jgoGfqAU3+t5/1s/NBpcEYkCwZaOjicsnCPb8d6O+GP/WrrdOjFRIETCOnBmpjG6nuBBc01FwruvCtI10TnfSRjqnp7JJEidRKOMIEZMkkUkcEeiMaQwqju5F8pF/mCOiiwARQbUWM3YFQK1WbNvWh97zdgAkRGRMM22u6UQABACIBCqOkDGu6ZqVYpqmp3MATCYxAAACYwyI7nvzVk0wSQBEBZM/8d1ao5VcnCGEwQHd9SRcwfDeO9+RtS1CZFxjQmNcIOMABIwjMkAARJXEiMh1gwmdmxZqmpIJMgYAXAgAsDRezqYVgS8pVlA0ec+9KDTzfTU963N2BTjV5ehNWzcoQMY40wRjHBlDRERkXAAiKQLoZwuYEMg449xwMsg4KYWMXXAjGKkMuLHSGKY01ospCNVFgFxPjq2xbFtcHlDTlZV8GhC5bgABcoaMI2fAeL9cQAoAALH/YZwTEZECUkopZJwxzhgjIEsTBZNLAgDIG9z3LwZULmpz80Ecq8sDGhvOm4IzzgEudBvXdQDGuUAAUooAEBkyBsgQGeNchqEMw ySOlUwY54jIOAeAkws1RTDkiG6k8iaX8qKmFlLC9ZtTl3z7enO0DBMaAJKSgICMMSYYY4BISpJSjLF++ZgQpJRKktjvqThExhBACC1miIwDxbYm3ERxP6k4wk8U5xeP/XItXK5FpnmFJiJwkAtkDBCBCPrTxRgAKJkwxvr1YpoOACqOg3bDb64oGQMRACIyxjjjnIBKGZuINI41XyJANqtdBGhVxbjrjrIm2GVpmmSkM86FbgKAUupVmAR9cAjImGYwockoDLstr1FNQi8Jg35fESmh64jIEIfzaUfjsaS8yQHBMi4KzRDQ1K+YHlSJppSEC+FBxjEAkZJAhFwAAtN0phsyCmOv5zeWg3YDiBTXdDsFAIwL3XKICBFTpt4MEp0jAiQKLOui6AKuwpQiwXTNMBGBca6klEmspORMAADTDERELihJ4tDzmyvt6sK+wyeqHdexjJRllky+dsTRlEJAQKZxlASznWjQ0Yo54dj8mgFJRT1P+glJv8u5QMYkQYqIZEJEjHFkmkriJPTDduPwgRcPHDs5WhncsWXSsiwgCtxetdkuGsi4QMQd45XhQmah2fYTGtxg/WRva3S1OT5mIuBVASIi31cr9XZjeSnnmMBFiKwX08rJU5vGR0FopGQcx4qUisO508fbne49t+3ULbsbJWGiGMDqoUHpd1tL84xzxpkmxNqBXLXVLZh8/qz1s8cL36guPfwVUSwIBLxS9xCcmQn2/E89l3Xy+WyQyG4QJXGS1jAnqFVdTForUWMpaq8k3eaxI4dnlld0yz653Dw6fb7baokkMDQ+V2vMVptT1RYiMC4iqUZLWQW07Kv733LDz8+cv2l07LHHl4CuIkO1erT7XxZ3viGrC8ux7ZRtd1zPYAAycaWMInZueUoJPVQko+jQsZMmh11vvLnZ6VVbndmlHnFRGRiYXFNx67KxRAtt99mXT+w/OX3LuuFIwb07N52YW75+ZKCUcV6awV+I62WtkNfWX2 crRSnL7LjeZ3b/+74l/6F/+sFje36a1kUhZR06M12rrYhUPgiDqemp9UXr2JnpJ/a9ciiw/nnvyW//+MD+c7Xp2XOcC59bUw1/w8jgZ++57W2bxkjRltXFhUZ308jg/ErL4hYgXTlDguPtb8r7oTqxjw8V85/84D1WcWhIi9rLi1NzCxsn1m0aGxmfmMxNbu2eGzh38qjBOVnWnds3EtHOd95km3om5TiZrOmk3+hkDQbVmdPdelXEScExz1cb1w3ms7YZLLeNTAAEgFfR1OWydvBIz9QEEBVN4S2eWZc1ZXlLZe11DFRydsrKFhljmhA5xwaA0dWVwvBaikPiGjAuOAdSlMRttz5cLl7QO6Jbxgc7XvDKQv2midGltvvARzNwlVOmC9btyiAMqx2PWWmyimQzoRtulBiJX8qmhJMmqUDJcqlw/Pz8eU+tikSuVLZ1YAIplomUKUPPpdOIKHQdACzOHrx965nlVuvkQt0NzYJ30/WF/nJ9VTwUhGqokBsq5rRsiQkNGScAFXorp6bTuTxPZUhJSqKxteOmirnQClqiG0JyIZPYFKyYTaFKEtsEAM0wgYBIKkVPHpnxJRQyzuSa8DUb41VYrR7bpgHqwsZDpFTgukvnvE7LzA9w3VKhTwSpQjnmRiJ0igIj7JYsMVQu5vN5BKVCv09pF6ifCIgsXdx50+SPj03f/e4iIl4DoNm5YCCXJlKURACgQj9sVs9NT5lOOr16LcmEpGS6gYjZlB0R1vyk1+32lufC+lLidREQGAMCUiry3P5yDQjbRso7148Fdq0yoF+DdBDR7PlwYIsFBBRHJKK421iaP9/xo3JJUBJLpZAxZCz03CQMBrK5JnDSjIVq3azXc7mckcpwLpSS7eX5OAoQGSKudP31lVI3ikevU/ia2+wqegghdDVIYgBKAi/stpbqTSedKwHv9NzU0qyZLZBSfqv+7HMv/PTg8U/97l3jQ8OmYRRy2UajsbzSkEvVocF yEgah5wIgAfXCJEhUKq2db/RueFP6GsWVkKQW+j2v3URktXZnvuW98fr16XRqfrl26tTpUsaWfm/fkRPz9c7H3393cfUIEwIAEKBYKBQKBZLy3FK17Jiom6q+jL1OECenV7ot1JbU4v23Fa4REIJSOhea2262E6y54c4btyAXnInx63JEML+wsNx0r795x2+sHuK60acTUhKUjMLw6NTs1olx0zSdXKHrusgFACRKtYP4ww+0h1fnOMdrzRD0gtCwUzKOZmuNXbe+RaSyyDggAHIAGHMyI2vWkFKdnusAY0gAuNDs7Nl76OHHvvUHd79r24aJgXIJSCEpBqSUIoJuEBmGmbIvnaqr4iHinaYXpAVunRyXUfDED55/5fTUrW97m+DC87zY70nd1nIDxaFVnWo9CUNgbGRs4/Z3rcXd3/7wXe/U8wPIWNxpil5XJgkpBYyHPv+bz7UefbRyzYAQ4ZabUs8fPXvHjZNZxwIlb79x4zPPv2hWxm/f9U5EfP1UAsChQ4c++5cPffOv/zRbWcM0g0gBQBL6KkniONYE73oUv1h54un2b96Rfe1/XBUP3fn2wrMvHeVCS6IIAG3HefgTH3nxyX/7+0ce6XZar9IdERHRsWPH/uwTf/Lk1x75x4c+dvMtO5hm9Kkrdjth4EWhv9DszDW79boazJS/9iU2v5hcc8luviG90D7sx1LEkbBT3Eolbucj73n7wkrjkT//uEwVnOIQ07Tpqen6wrnt46sefM/t6XwBhYEXFkCKu02v3ZBRHHo9wdi/Pn9yMnODruvr7Rv/+FNPP/6NdeYvbo+rAsQYvv/e4lMvHr73rTukUoJzLZ0nGa8qFz56967+YeQGkVp/S6n0bqbryDVA3r/8AUBGgQy90O1Fvhv4/sHZZXTzelbjnOuaNnUk/bFPzn31kRFAxKssGQA8cF/lmYN7lSKvtqiiEBjTc2VuOv0xZAzzxdLAqmFu2cg1QLzw2qFfxzgMel0p k167EUTJd184O5EZ7f/a892cnl44MPqlRy+8KGJXIx2npryvf3OxueK9cPR07Lt+bUFFATCu5wfMwVG9OKTnh7iTRS76iemfqhcaXMnY7bqdlttqyDh+fO/xcWNCQN8NFlrLA1ZxPDvy1O6Be+4/sVgNxa9c7AGh15M/2dv60U/bLz3HkkZpTXpTKWh8c8++X1s/6nVamu3ouTIKHRGR2f3rkYAAiPpLAQNABkRxr9mtLiwuLomwO7Xceul4d0fxuv70ImLDb60SZSXlltJE4/zArbv2/gpA3V7y8FcX/vf7hukVSvrYeieFZey4Xd3SvaXkez87eNfOrUG7wa0U6hYyBlKSjJSU2NcL5ChEH03Sa/iN6v6DRwYNarvBF5/Yvy23DX9JKMgYE4x3O13LsQtG7o41d4rXF+i+j8xkqtsnuBYZse3YjDGv5y6GK1sGJ5uyufs7+zaPViaRCaOKXAg7A5wjt7lSpCSQQuSACKTizkrYbjy37yUrcWPAz/7Hz8a1DSY3+lE0wYUQpmbEIDViXs8lolwhzy4WCfrhf9WDmXEbjSiMbMfmnPuev+jVRkvDXs8Foq2ZjQ89+v1aq3tu9lzYWI57TUpikBKAEBkyAQgq8sOVBb9Re/a5F1Rnxebw8NM/t93VRT3b71zLsmzHmWnOtXptoZALnkqnDMMIguCSpsbvPtEYTVV8zzdtSwgRBmEURUqjvJHlQmiaJpBX5KoH/na3G4Rnz05FzVrSbanIpyQmlag4jNsr3tJsY37mO089Y/jtosG++OS+5oKzyh4gIGTMSTnc1PYvHur2uhOpUdtxUum0bhiIGHi+eG0vn18Mju23NxuhpmuapiVJEgYBAjbc1mz9fCUzoOtat9PN6unZ5ZUvPP7k79x6M5PRQKmkOWluWCCTJPBkHB07O33glePbhjIyjj79w58Hjdzm7Boi4pzbKacnvSPzJzek1jq6bZiGEAIRoyjyXE9KhVS9rQ9osRq97 wOzqzrbdBSpTBoRe52uUqo/Od3YOx8s3VjZbDCt0+k+7+/f8+VPf/7rj5dMHB8o6KbJuCAA1/NUkpRtUdbh4Ozy3z1zcFhbN5kZJSLd0C3bnu7MdfzeZHqNbhiapjHGZCJ9z4uiiAh/wRYAtUb8vg/OrPG3C2CmZSJi4AdSyv7cMGQFK3vj4OZDteOMc0Ao5zOFTPpzD96vObkzS/W4184pd0SLNmXF5oJeFEop9fThxUlz80R6FABsxzYd++XqMUpoU37csm1d1xHR97x2qxVFUV/FAUAQwVIt+u0PzIxFOyCWjHNN16WUURi+VslbsldrN9cVxsIgiGWybngIEDgXH7/vvfWVlQNHTxyZnq23OwLBMrS1lYGn95223ZGCnWGCW7YVQfLi/IH1mbV5OyuEYIxFUeS7Xv+ZLxJX15P3/f7MhPp1SmRMZBgGEfme13/b9apfI2xtLk9QJH3f78XujrXDBISAiFgql3e9tQS3vllJqZQ8fGr6C195siJHcmlDaELT9XbUPbx4Yvvg9aZhcM6JyO31wiC8JMQFQB/6wzOrvO2CmJ+EjDEuRBSGMpGXuOaMbNWtDxh5BGzHvQ1jI68nsJdPTT/1o5enjnQmUusRURe6JsR8Z+lsdWbHqq2GbiBiHMdez5VSviq9lwKi0xttO+W5LhEJTZNShkH4eteM7iz4tUGzCACNqL15fA3CL316fvDgX+2emVuJZGww/VxjwY08XwZ5O1exym9YvU0IDgCe64ZB2Ofo/086/w8ui/QHSH/HJAAAAABJRU5ErkJggg==
In-reply-to: <55B88DF7.80608@canonical.com>

On Wed, 2015-07-29 at 11:25 +0300, Alberto Mardegan wrote:

> On 07/29/2015 07:07 AM, Tyler Hicks wrote:
> > This stage is not sufficient since there is no exec() performed
> > here. This removes the possibility of per-process address space
> > layout randomization (ASLR). All processes on the system that were
> > spawned by qml-booster will have the same memory layout, even if
> > the program authors are trying to do the right thing by building
> > with -fPIE.
> 
> Can you elaborate a bit on the risks of not having ASLR? As I
> understand it, since the process is confined, it still won't be able
> to perform any action that a malicious application wouldn't be able to
> do, right?

Yes, assuming that all of our interfaces and security profiles have no
bugs, ASLR doesn't provide additional benefit. But that's not an
assumption that I'm willing to make.

Security is provided by having layers like an onion. ASLR is one of
those layers. Not having it doesn't make things insecure but it does
make things less secure.

Personally, as a user, I wouldn't want it to be an option that app
developers could disable.

Ted

Attachment: signature.asc
Description: This is a digitally signed message part

Follow ups

Re: mapplauncher
From: Marc Deslauriers, 2015-07-29

References

mapplauncher
From: Zoltán Balogh, 2015-07-28
Re: mapplauncher
From: Tyler Hicks, 2015-07-29
Re: mapplauncher
From: Alberto Mardegan, 2015-07-29