Confinement / Sandboxes



  • My knowledge on this topic is also very limited but I try to share my impressions. Lets take docker for example, which I suspect to be very popular and widely used (also in non Linux projects). As already mentioned above, security is not the only reason for some of those technologies. Another big advantage is the well defined environment they provide. So you can use them for cross compiling, for scaling (web) services dynamically (just deploy the docker containing your agent to some additional machines on demand), for testing (having different versions of the environment your app runs in, as well as having clean starting points for your tests), for deploying software (to ensure your app is more or less independent from changes to the core system or other apps). Yes and I too think its really more like apples and oranges... 😉 so docker is not a package managing system, which snap is in the first place, and the confinement is actually done by apparmor... If I understood this right. And where docker is doing some kind of userspace virtualization (different colors available ;)) lxc seems to do this for the kernel side...



  • Hello,

    @advocatux said in Confinement / Sandboxes: > I'm not a developer, ...

    @hummlbach said in Confinement / Sandboxes: > My knowledge on this topic is also very limited but ...

    Thank you for your replies, however is there some specialists or developpers here to have an idea of the futur, please ?
    Under MINT18.3, I'm using Firejail who does exactly what I think usefull and easy to manage. Is there a chance to have it under UBports ? (or what is the best alternative ?)

    Good evening
    Pulsar33



  • Ubuntu Touch's confinement model means that you already have what you want. If you install confined apps, you have the following guarantees:

    • Apps may only access their own data in ~/.cache and ~/.config unless they have specified it in their AppArmor config. For example, the camera app has permissions to "Picture files" and "Video files".
    • Apps may only access hardware if they specifically request access or have it specified in their AppArmor config.

    The only way to access files outside of the restricted permissions for documents, videos, and picture files is to go through ContentHub. That's the system where an app asks you to select a file from another app which has access. In essence, you need to give an app the files it wants.

    This system is completely different than almost anything found on any Linux distribution at this point (minus Android, which the system is partially modeled after). It is also very upsetting to many Linux desktop developers for this reason.



  • Hello,

    @unisuperbox said in Confinement / Sandboxes: > Ubuntu Touch's confinement model means that you already have what you want.

    @pulsar33 said in Confinement / Sandboxes: > only used apparmor as it was included in my legacy BQ E5 UT edition (AFAIK), and without modifying the policies.

    Thank you for your answer. So if I understand, we definitely have to deal with apparmor which has no GUI and no easy management mean. With my BQ E5 UT, I use Permy (Jamie Strandboge) to look at the permissions of the installed apps. Unfortunately, this application is not available on OpenStore. Moreover, this application was only a viewer and the permission syntax is not so easy to manage.

    Following your answer, I'll try to improve my understanding and mainly investigate about the permission granularity. I think that two main goals are to be reached when managing security for a newly installed application :

    • Fine whitelisting and blacklisting parts of the filesystem
    • Fine granting or denying network access on an application basis

    When I say "Fine" I speak of granularity. I don't know if fine is the right term in english. For example, if I want to install Sensor Status, I have to grant "Networking" for that app. Why ???. I don't want to do so. This is a huge example but there's some finest cases where maybe I'll want to grant local network access but no wide network access, and so on ...

    It would be nice for me to clone Permy which has no recent update but at this time, I'm starting the programming course and I'm not fully operational :o))

    Permy snapshot

    Other feelings and advices are welcome
    Best regards
    Pulsar33



  • Hello to everybody,

    I was struggeling with permissions and permission system on ubuntu touch for several days. When I found this discussion I decided it would be worth to have the permy software running on my device. After some struggeling with the atom environment and the clickable tool I have now a running permy clone(90% of the original source), which, according to this discussion: would be of interest for other people too.
    I tried to upload it to the open store, but it was rejected. The click-review process gave a red flag, because this app will read the apparmor profiles (the intention of this app).
    Which way do I have (without excessive environment installation) to make this tool available for a larger group?



  • @hoh61 : Hello,
    I'm happy to see that you started the job and are about to succeed. I hope that some Guru will help you (I'm not able myself to do so at this time, but I try to learn ...).
    Moreover, like I said in this thread, I think that this application has to be considered as a core app.
    @Flohack @NeoTheThird @UniSuperBox can you help please, or say who can help ?

    Best regards
    Pulsar33



  • @Pulsar33 : I would not consider this app as a core app yet. For my impression it would be primarily a little support tool for developers to check the proper implementation of the apparmor settings and highlight multiple versions of their apps, or help impacted users to find it out. Since I observe this on my tablet too, I would rise the question for a combined uninstall/install procedure for updates installed via clickable.
    One can think about an extension which allows the user to remove (only) right gained for the application (e.g. network access gained for an application without network access from the user), but here some specialties of apparmor has to be taken into account. Removal of access right can only be activated after a restart of the apparmor daemon (root access necessary) or after a reboot of the device. This capability would provide a major benefit to the user and make the for me app a candidate for a core app.



  • @hoh61 and where can I find the app you mention? Thanks.



  • It's in the open store yet.

    And some comments on the confinement/sandbox topic itself.
    On my M10 FHD with the original ubuntu image the system was running having an LXC container for all applications. By this approach the system tasks were separated from the user tasks, but unfortunately a very excessive access environment deeded to build up. I was not able to install network access to my home network using samba.

    The actual UBport implementation is completely different. On the device the apps are running as normal user apps, only restricted by the rules implemented with apparmor. This is not much different to desktop computers except that on my Desktop computer I have 22 rules while on the touch device I count 64. Without a good UI this can be an easy source of errors .

    Docker (in clickable) and LXC (in ubuntu sdk) are used for development purposes only to encapulate the target environment from the development host. Actually I found nothing comparable on the touch device (except a fragment for an LXC android container).

    An yes, the most irritating issue is the media hub server. I started to understand the concept, but I'm still at the beginning.



  • @hoh61 oh hoh it's this permyhoh. Thank you.



  • modules:composer.user_said_in, @hoh61, Confinement / Sandboxes

    And some comments on the confinement/sandbox topic itself.
    On my M10 FHD with the original ubuntu image the system was running having an LXC container for all applications. By this approach the system tasks were separated from the user tasks, but unfortunately a very excessive access environment deeded to build up. I was not able to install network access to my home network using samba.

    The actual UBport implementation is completely different. On the device the apps are running as normal user apps, only restricted by the rules implemented with apparmor. This is not much different to desktop computers except that on my Desktop computer I have 22 rules while on the touch device I count 64. Without a good UI this can be an easy source of errors .

    are you sure? i don't think I've seen this lxc container for applications. do you mean for regular apps? the ones installed from the app store.

    i have the feeling, if ubports had changed such a significant piece of the platform, i would have heard about it

    or do you mean desktop applications? they went into a container, but also there i have only ever seen chroot containers even though there was talk about lxc there



  • @hoh61 That's not correct. Applications are run exactly the same now as they were in the original ubuntu image. Just confined processes using apparmor. As you noted though there is an minimal android container which is the only usage of lxc (unless you install anbox).



  • Just to make it clear: I'm talking from the original ububtu touch version shipped with the M10 FHD by BQ. This was based on ubuntu 15.10.
    And you can bite me to hell, there was an LXC container running, separating the system processes from the user area, where all apps were located (no desktop apps, only apps from the ubuntu store!). It drove me crazy that I couldn't add a network access for my samba network. A lot of mountpoints were installed in order to make the container accessible to the root system, for the network access a bridge was installed, ... All these stuff is missing in the actual image for xenial.

    @doniks : which process is not confined? Have a look at the apparmor settings (sudo aa-status). On my M10fhd there are now 43 profiles found in enforcement mode (before r92 it was 62). All running applications so far are in enforcement mode, except LXC!



  • @hoh61 uhhhhm, I'm not convinced. Now, I never held an M10, so I can't say I know, but I'm quite sure.

    Got some spare time at your hands? Feel like flashing back the vivid version and showing some command line output?



  • @doniks : I would stop this discussion here unless we find someone who has a M10 FDH with the lates canonical image in short access. A list of the mountpoints (/etc/mtab) via adb should provide some clarification on this topic. I will not do it, because I would like to get my fireza running, which is still as hard work. In the actual environment I found still a lot of weaknesses and open issues, which I would like to solve step by step. first for myself, hopefully with the help of the community, finally in the hope that I can provide some solutions which will improve some little steps.

    So if you know somebody who is familiar with atom add-on packages there will be some interesting tasks to work on.



  • @hoh61
    i have an m10 fhd ML002151 if you need to download UT firmware

    http://www.mibqyyo.com/en-download/categorias/aquaris-m10-fhd-ubuntu-edition/


Log in to reply