unity-api-bugs team mailing list archive

Thread
Date
[Bug 1341548] Re: Online detection does not work with confined apps on Nexus 4

To: unity-api-bugs@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Tue, 05 Aug 2014 20:45:04 -0000
Reply-to: Bug 1341548 <1341548@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
FYI, attached is the apparmor policy needed for the current
implementation of the connectivity API. I compiled
example_networking_status.cpp as example_networking_status.armhf, then
on mako, I ran:

$ sudo apparmor_parser -r ./example_networking_status.profile && aa-exec -p example_networking_status -- ./example_networking_status.armhfSystem networking status changed to: offline
System networking status changed to: connecting
System networking status changed to: online
...

Currently there are a lot of accesses that the connectivity-api example app needs:
  # URfkill
  dbus (receive, send)
       bus=system
       path=/org/freedesktop/URfkill/*
       interface=org.freedesktop.DBus.Properties
       member={Get,PropertiesChanged},

  dbus (receive)
       bus=system
       path=/org/freedesktop/URfkill
       interface=org.freedesktop.URfkill
       member=DeviceChanged,

  dbus (receive)
       bus=system
       path=/org/freedesktop/URfkill/*
       interface=org.freedesktop.URfkill.Killswitch
       member=StateChanged,

  dbus (send)
       bus=system
       path=/org/freedesktop/URfkill
       interface=org.freedesktop.URfkill
       member=IsFlightMode,

  dbus (receive)
       bus=system
       path=/org/freedesktop/URfkill
       interface=org.freedesktop.URfkill
       member=FlightModeChanged,


  # NetworkManager
  dbus (send)
       bus=system
       path=/org/freedesktop/NetworkManager
       interface=org.freedesktop.NetworkManager
       member=GetDevices,

  dbus (send)
       bus=system
       path=/org/freedesktop/NetworkManager{,/Devices/*}
       interface=org.freedesktop.DBus.Properties
       member=Get,

  dbus (receive)
       bus=system
       path=/org/freedesktop/NetworkManager
       interface=org.freedesktop.NetworkManager
       member={PropertiesChanged,StateChanged},

  dbus (receive)
       bus=system
       path=/org/freedesktop/NetworkManager/Devices/*
       interface=org.freedesktop.NetworkManager.Device{,.*}
       member={PropertiesChanged,StateChanged},

  dbus (send)
       bus=system
       path=/org/freedesktop/NetworkManager/Devices/*
       interface=org.freedesktop.NetworkManager.Device.Wireless
       member=GetAccessPoints,

  dbus (receive)
       bus=system
       path=/org/freedesktop/NetworkManager/Devices/*
       interface=org.freedesktop.NetworkManager.Device.Wireless
       member={AccessPointAdded,AccessPointRemoved,ScanDone},

  dbus (send)
       bus=system
       path=/org/freedesktop/NetworkManager/AccessPoint/*
       interface=org.freedesktop.NetworkManager
       member=Get,

  dbus (send)
       bus=system
       path=/org/freedesktop/NetworkManager/{AccessPoint,ActiveConnection}/*
       interface=org.freedesktop.DBus.Properties
       member=Get,

  dbus (receive)
       bus=system
       path=/org/freedesktop/NetworkManager/AccessPoint/*
       interface=org.freedesktop.NetworkManager.AccessPoint
       member=PropertiesChanged,

  dbus (receive)
       bus=system
       path=/org/freedesktop/NetworkManager/ActiveConnection/*
       interface=org.freedesktop.NetworkManager.Connection.Active
       member=PropertiesChanged,


As you can see, the NetworkManager DBus API is vast and AppArmor policy for it would be brittle. More importantly, the Get methods leak information that apps should not have. If the simplified helper is very simple-- ie, it provides if offline, connecting, online, on expensive connections, etc along with PropertiesChanged, etc, then it won't need trust-store support, and just be a helper that any app could have unrestricted access to. As such, instead of the above rules (which we can't allow), we could do something like:

  dbus (receive, send)
       bus=session
       path=/com/ubuntu/Connectivity,

Thanks!

-- 
You received this bug notification because you are a member of Unity API
bugs, which is subscribed to Network Menu.
https://bugs.launchpad.net/bugs/1341548

Title:
  Online detection does not work with confined apps on Nexus 4

Status in dekko:
  Incomplete
Status in Network Menu:
  Triaged

Bug description:
  Dekko is not detecting if Online correctly. If I look at the server
  logs, I don't see anything in the email server logs for dekko to
  connect. If I look in ~/.cache/upstart/application-click-
  com.ubuntu.developer.dpniel.dekko_dekko_0.2.2.log, I don't see
  anything about connecting. If I click the globe in dekko, I see that
  it is in offline mode and selecting one of the others seems to make no
  difference (I see nothing in the server logs and the upstart logs) and
  the setting doesn't stick (ie, it *always* says 'Offline mode').

  I thought this might be bug #1226844, but if I adjust
  /var/lib/apparmor/profiles/*dekko* to remove 'deny' from in front of
  the NetworkManager and ofono rules and run apparmor_parser -r
  /var/lib/apparmor/profiles/*dekko*, there are no denials but it still
  doesn't detect if I am online or not  when on 3G.

  If I get on wifi instead of 3G, dekko can detect if I am online if I
  apply the apparmor changes I mentioned above (though, there are still
  NetworkManager dbus denials).

  For dekko to work as a confined application (ie, shipped in the Ubuntu
  App Store) it is going to need to operate without these NetworkManager
  and ofono DBus APIs, because they are not allowed to app store apps.

  
  Previous description:
  In addidtion to TLS on port 143, it would be nice to support imaps on port 993.

To manage notifications about this bug go to:
https://bugs.launchpad.net/dekko/+bug/1341548/+subscriptions