Confinement / Sandboxes

advocatux

@pulsar33 you're right about the first point, there should be more coherence between https://ubports.com/ and http://ubuntu-touch.io/ but as you know this is a work done by volunteers only, so is always a work in progress.

About your second point, no, that's not a simple question looking for a simple answer because you're mixing apples with oranges.

I'm not a developer, I don't have inside secret information. I'm just a user like you. And no, I don't have "certainly information about what will grow and what will die".

But using a search engine I can see that:

apparmor is "a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles"
Snaps are "containerised software packages that are simple to create and install. They auto-update and are safe to run. And because they bundle their dependencies, they work on all major Linux systems without modification".
LXC "is an operating-system-level virtualization method for running multiple isolated Linux systems (containers) on a control host using a single Linux kernel".
Docker "is a computer program that performs operating-system-level virtualization also known as containerization".
Firejail "is a sandboxing utility that allows you to run un-trusted applications within Linux in an environment that has restricted privileges".

Hope that helps.
Best Regards.

Pulsar33

@advocatux : From my point of view and as your list shows, I'm (maybe) just mixing apples with different colors. Only Snap seems apart but snapcraft.io says :
Not only are snaps kept separate, their data is kept separate too. Snaps communicate with each other only in ways that you approve.

All these concepts have in mind the Confinement (or Sandboxing) of applications in order to increase your usage safety. Linux is said to be safe because the system software is reviewed by many people and because you must grant manually the access to important files. But it seems that people found necessary to add more means to control the application behaviour and this is exactly my feeling.

For example, I'm very strict about network access and sorry that many applications claim for this capability saying "I just want to count my users and check if there's updates". If this application as no other reason to connect to the network, either I don't use it or I find a way to use it without network connectivity.

Firejail does that exactly and more ! It is the one that seems to me the easiest to use. It has the widest and finest capabilities management. I use it on a Linux Mint station and love it. However is it the good choice for the futur ? Will it be available on UBports or will apparmor be the only choice ?

I heard that one reason for Canonical to give up UT was that the phones were unable to run snappy applications and they wanted to quit apparmor for snaps. I'm not sure of what I say. Maybe it's just a misunderstanding because english is not (as you can see) my mother langage.

All this make me asking about the better choice for the futur, as said above.

Good evening
Pulsar33

hummlbach

My knowledge on this topic is also very limited but I try to share my impressions. Lets take docker for example, which I suspect to be very popular and widely used (also in non Linux projects). As already mentioned above, security is not the only reason for some of those technologies. Another big advantage is the well defined environment they provide. So you can use them for cross compiling, for scaling (web) services dynamically (just deploy the docker containing your agent to some additional machines on demand), for testing (having different versions of the environment your app runs in, as well as having clean starting points for your tests), for deploying software (to ensure your app is more or less independent from changes to the core system or other apps). Yes and I too think its really more like apples and oranges... so docker is not a package managing system, which snap is in the first place, and the confinement is actually done by apparmor... If I understood this right. And where docker is doing some kind of userspace virtualization (different colors available ;)) lxc seems to do this for the kernel side...

Pulsar33

Hello,

@advocatux said in Confinement / Sandboxes: > I'm not a developer, ...

@hummlbach said in Confinement / Sandboxes: > My knowledge on this topic is also very limited but ...

Thank you for your replies, however is there some specialists or developpers here to have an idea of the futur, please ?
Under MINT18.3, I'm using Firejail who does exactly what I think usefull and easy to manage. Is there a chance to have it under UBports ? (or what is the best alternative ?)

Good evening
Pulsar33

UniSuperBox

Ubuntu Touch's confinement model means that you already have what you want. If you install confined apps, you have the following guarantees:

Apps may only access their own data in ~/.cache and ~/.config unless they have specified it in their AppArmor config. For example, the camera app has permissions to "Picture files" and "Video files".
Apps may only access hardware if they specifically request access or have it specified in their AppArmor config.

The only way to access files outside of the restricted permissions for documents, videos, and picture files is to go through ContentHub. That's the system where an app asks you to select a file from another app which has access. In essence, you need to give an app the files it wants.

This system is completely different than almost anything found on any Linux distribution at this point (minus Android, which the system is partially modeled after). It is also very upsetting to many Linux desktop developers for this reason.

Pulsar33

Hello,

@unisuperbox said in Confinement / Sandboxes: > Ubuntu Touch's confinement model means that you already have what you want.

@pulsar33 said in Confinement / Sandboxes: > only used apparmor as it was included in my legacy BQ E5 UT edition (AFAIK), and without modifying the policies.

Thank you for your answer. So if I understand, we definitely have to deal with apparmor which has no GUI and no easy management mean. With my BQ E5 UT, I use Permy (Jamie Strandboge) to look at the permissions of the installed apps. Unfortunately, this application is not available on OpenStore. Moreover, this application was only a viewer and the permission syntax is not so easy to manage.

Following your answer, I'll try to improve my understanding and mainly investigate about the permission granularity. I think that two main goals are to be reached when managing security for a newly installed application :

Fine whitelisting and blacklisting parts of the filesystem
Fine granting or denying network access on an application basis

When I say "Fine" I speak of granularity. I don't know if fine is the right term in english. For example, if I want to install Sensor Status, I have to grant "Networking" for that app. Why ???. I don't want to do so. This is a huge example but there's some finest cases where maybe I'll want to grant local network access but no wide network access, and so on ...

It would be nice for me to clone Permy which has no recent update but at this time, I'm starting the programming course and I'm not fully operational :o))

Permy snapshot

Other feelings and advices are welcome
Best regards
Pulsar33

hoh61

Hello to everybody,

I was struggeling with permissions and permission system on ubuntu touch for several days. When I found this discussion I decided it would be worth to have the permy software running on my device. After some struggeling with the atom environment and the clickable tool I have now a running permy clone(90% of the original source), which, according to this discussion: would be of interest for other people too.
I tried to upload it to the open store, but it was rejected. The click-review process gave a red flag, because this app will read the apparmor profiles (the intention of this app).
Which way do I have (without excessive environment installation) to make this tool available for a larger group?

Pulsar33

@hoh61 : Hello,
I'm happy to see that you started the job and are about to succeed. I hope that some Guru will help you (I'm not able myself to do so at this time, but I try to learn ...).
Moreover, like I said in this thread, I think that this application has to be considered as a core app.
@Flohack @NeoTheThird @UniSuperBox can you help please, or say who can help ?

Best regards
Pulsar33

hoh61

@Pulsar33 : I would not consider this app as a core app yet. For my impression it would be primarily a little support tool for developers to check the proper implementation of the apparmor settings and highlight multiple versions of their apps, or help impacted users to find it out. Since I observe this on my tablet too, I would rise the question for a combined uninstall/install procedure for updates installed via clickable.
One can think about an extension which allows the user to remove (only) right gained for the application (e.g. network access gained for an application without network access from the user), but here some specialties of apparmor has to be taken into account. Removal of access right can only be activated after a restart of the apparmor daemon (root access necessary) or after a reboot of the device. This capability would provide a major benefit to the user and make the for me app a candidate for a core app.

jezek

@hoh61 and where can I find the app you mention? Thanks.

hoh61

It's in the open store yet.

And some comments on the confinement/sandbox topic itself.
On my M10 FHD with the original ubuntu image the system was running having an LXC container for all applications. By this approach the system tasks were separated from the user tasks, but unfortunately a very excessive access environment deeded to build up. I was not able to install network access to my home network using samba.

The actual UBport implementation is completely different. On the device the apps are running as normal user apps, only restricted by the rules implemented with apparmor. This is not much different to desktop computers except that on my Desktop computer I have 22 rules while on the touch device I count 64. Without a good UI this can be an easy source of errors .

Docker (in clickable) and LXC (in ubuntu sdk) are used for development purposes only to encapulate the target environment from the development host. Actually I found nothing comparable on the touch device (except a fragment for an LXC android container).

An yes, the most irritating issue is the media hub server. I started to understand the concept, but I'm still at the beginning.

jezek

@hoh61 oh hoh it's this permyhoh. Thank you.

doniks

modules:composer.user_said_in, @hoh61, Confinement / Sandboxes

And some comments on the confinement/sandbox topic itself.
On my M10 FHD with the original ubuntu image the system was running having an LXC container for all applications. By this approach the system tasks were separated from the user tasks, but unfortunately a very excessive access environment deeded to build up. I was not able to install network access to my home network using samba.

The actual UBport implementation is completely different. On the device the apps are running as normal user apps, only restricted by the rules implemented with apparmor. This is not much different to desktop computers except that on my Desktop computer I have 22 rules while on the touch device I count 64. Without a good UI this can be an easy source of errors .

are you sure? i don't think I've seen this lxc container for applications. do you mean for regular apps? the ones installed from the app store.

i have the feeling, if ubports had changed such a significant piece of the platform, i would have heard about it

or do you mean desktop applications? they went into a container, but also there i have only ever seen chroot containers even though there was talk about lxc there

DanChapman

@hoh61 That's not correct. Applications are run exactly the same now as they were in the original ubuntu image. Just confined processes using apparmor. As you noted though there is an minimal android container which is the only usage of lxc (unless you install anbox).

hoh61

Just to make it clear: I'm talking from the original ububtu touch version shipped with the M10 FHD by BQ. This was based on ubuntu 15.10.
And you can bite me to hell, there was an LXC container running, separating the system processes from the user area, where all apps were located (no desktop apps, only apps from the ubuntu store!). It drove me crazy that I couldn't add a network access for my samba network. A lot of mountpoints were installed in order to make the container accessible to the root system, for the network access a bridge was installed, ... All these stuff is missing in the actual image for xenial.

@doniks : which process is not confined? Have a look at the apparmor settings (sudo aa-status). On my M10fhd there are now 43 profiles found in enforcement mode (before r92 it was 62). All running applications so far are in enforcement mode, except LXC!

doniks

@hoh61 uhhhhm, I'm not convinced. Now, I never held an M10, so I can't say I know, but I'm quite sure.

Got some spare time at your hands? Feel like flashing back the vivid version and showing some command line output?

hoh61

@doniks : I would stop this discussion here unless we find someone who has a M10 FDH with the lates canonical image in short access. A list of the mountpoints (/etc/mtab) via adb should provide some clarification on this topic. I will not do it, because I would like to get my fireza running, which is still as hard work. In the actual environment I found still a lot of weaknesses and open issues, which I would like to solve step by step. first for myself, hopefully with the help of the community, finally in the hope that I can provide some solutions which will improve some little steps.

So if you know somebody who is familiar with atom add-on packages there will be some interesting tasks to work on.

Marathon2422

@hoh61
i have an m10 fhd ML002151 if you need to download UT firmware

http://www.mibqyyo.com/en-download/categorias/aquaris-m10-fhd-ubuntu-edition/