AppArmor policy for gnome-keyring

klh · 13 Nov 2021, 13:17

Hello.

I'm trying to develop an app that uses gnome-keyring using qtkeychain, but when running I get an AppArmor policy error:

Gkr-Message: secret service operation failed: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.108" (uid=32011 pid=25202 comm="testk ") interface="org.freedesktop.DBus.Peer" member="Ping" error name="(unset)" requested_reply="0" destination="org.freedesktop.secrets" (uid=32011 pid=2898 comm="gnome-keyring-daemon --start --components pkcs11,s")

I don't see any policy groups I could use in the docs. Is this going to be supported?

I want to store the password to a password manager vault in the keyring so it's possible to unlock it with biometrics/standard system dialog (not sure if that's possible yet since I didn't get that far).

CiberSheep · 13 Nov 2021, 19:14

@klh I don't think you can run it if confined.

One of the apps that uses user authentification (I'm sure it's the same case) is the Terminal

https://gitlab.com/ubports/apps/terminal-app/-/tree/master/src/plugin/pamauthentication

dobey · 13 Nov 2021, 19:25

@klh No, you cannot use gnome-keyring in this way, at the moment.

There is no integration between gnome-keyring and biometrics, and no way for apps to use biometrics for securing encryption keys or such in the app, currently.

It would take quite a bit of work to get something usable which can do all of these things, while also not exposing the keyring of one app, to any other apps which can talk to the keyring.

klh · 13 Nov 2021, 20:23

@cibersheep That's a bummer, as a user I could expect unconfined in a terminal app, but definitely not a password manager (checked PAM too, same problem, works when unconfined).

@dobey For some reason I thought gnome-keyring used PAM for authentication, but that's completely wrong (and looking at a bug report for it makes me wonder if it should be even possible).

As for isolating them, maybe each app could request an isolated keyring just for this one app? I'd be up for trying to implement something like that, but I'd need some pointers since I just started getting into UBports and the amount of code to look though is high.

I guess the app in question will be more secure than convenient

dobey · 15 Nov 2021, 21:27

@klh said in AppArmor policy for gnome-keyring:

As for isolating them, maybe each app could request an isolated keyring just for this one app?

It's not that easy, as gnome-keyring itself doesn't have any method for isolating access from apps. It would be quite a large amount of work to implement something, I think.

klh · 15 Nov 2021, 23:31

@dobey Looks like it should be possible with AppArmorDBus?

Since each collection in the secrets service has a path (https://specifications.freedesktop.org/secret-service/latest/ch12.html) and AppArmor can be used to enable only a specific path.

Then we would get something like the Keystore APIs on iOS/Android? With a nice bonus that with a system app for keyring access you would be able to look through the saved data of all applications.

I'll try making a policy later and make a PR/MR if it works.