ubuntu-phone team mailing list archive

[John Johansen <john.johansen@xxxxxxxxxxxxx>]

On 09/23/2015 07:14 AM, Alberto Mardegan wrote:
> On 09/21/2015 08:17 PM, John Johansen wrote:
>> On 09/21/2015 09:25 AM, Oliver Grawert wrote:
>>> i could imagine you could have a "reverse-content-hub" so you move the
>>> file back to the shared folder after editing it (something like a
>>> checkbox in the save dialog that says "make available to other apps"
>>> which would overwrite the file in ~/Documents or some such)
>>>
>> It is also possible that the file can stay in place and never has to
>> be copied into the directory, or copied back out.
> 
> Do you mean that you plan to use the user's decisions made via the
> Content Hub to dynamically add apparmor rules to confined apps (like, to
> give a certain app read access to ~/Documents/MyFile.pdf)?
> That would be super cool!
> 
> Or am I reading too much into the lines? :-)
> 
That is a possibility, though likely not directly but either through an
include that stores the extensions or a composition so that the original
profile files don't need to be recompiled, and the additions can be easily
tracked.

other options include tagging the file directly with a security label,
using fd delegation to the application access for as long as it keeps the
fd open (not actual a very good solution atm because of app life cycle),
using hardlinks or bind mounts.


the ideal solution would be the composition or security label tagging of
the file but neither of those have landed yet. Doing it as an include
would require recompiling the profile which is slow (often a few seconds)
on touch devices and will likely be avoided atm.