• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
UBports Robot Logo UBports Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

Confinement / Sandboxes

Scheduled Pinned Locked Moved OS
21 Posts 9 Posters 8.2k Views 3 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      Pulsar33 @UniSuperBox
      last edited by Pulsar33 13 Apr 2018, 12:08

      Hello,

      @unisuperbox said in Confinement / Sandboxes: > Ubuntu Touch's confinement model means that you already have what you want.

      @pulsar33 said in Confinement / Sandboxes: > only used apparmor as it was included in my legacy BQ E5 UT edition (AFAIK), and without modifying the policies.

      Thank you for your answer. So if I understand, we definitely have to deal with apparmor which has no GUI and no easy management mean. With my BQ E5 UT, I use Permy (Jamie Strandboge) to look at the permissions of the installed apps. Unfortunately, this application is not available on OpenStore. Moreover, this application was only a viewer and the permission syntax is not so easy to manage.

      Following your answer, I'll try to improve my understanding and mainly investigate about the permission granularity. I think that two main goals are to be reached when managing security for a newly installed application :

      • Fine whitelisting and blacklisting parts of the filesystem
      • Fine granting or denying network access on an application basis

      When I say "Fine" I speak of granularity. I don't know if fine is the right term in english. For example, if I want to install Sensor Status, I have to grant "Networking" for that app. Why ???. I don't want to do so. This is a huge example but there's some finest cases where maybe I'll want to grant local network access but no wide network access, and so on ...

      It would be nice for me to clone Permy which has no recent update but at this time, I'm starting the programming course and I'm not fully operational :o))

      Permy snapshot

      Other feelings and advices are welcome
      Best regards
      Pulsar33

      Aquaris BQ E5 HD UBports OTA-25 (currently testing features)
      Aquaris BQ E5 HD Ubuntu Edition Canonical OTA-15 (last Canonical version, daily use)
      Raspberry Pi 4 B - 4 GB & 8 GB with various OS and Desktops (UBports not OK)

      1 Reply Last reply Reply Quote 0
      • H Offline
        hoh61
        last edited by 7 Jun 2018, 18:43

        Hello to everybody,

        I was struggeling with permissions and permission system on ubuntu touch for several days. When I found this discussion I decided it would be worth to have the permy software running on my device. After some struggeling with the atom environment and the clickable tool I have now a running permy clone(90% of the original source), which, according to this discussion: would be of interest for other people too.
        I tried to upload it to the open store, but it was rejected. The click-review process gave a red flag, because this app will read the apparmor profiles (the intention of this app).
        Which way do I have (without excessive environment installation) to make this tool available for a larger group?

        P 1 Reply Last reply 8 Jun 2018, 05:52 Reply Quote 3
        • P Offline
          Pulsar33 @hoh61
          last edited by Pulsar33 6 Aug 2018, 05:55 8 Jun 2018, 05:52

          @hoh61 : Hello,
          I'm happy to see that you started the job and are about to succeed. I hope that some Guru will help you (I'm not able myself to do so at this time, but I try to learn ...).
          Moreover, like I said in this thread, I think that this application has to be considered as a core app.
          @Flohack @NeoTheThird @UniSuperBox can you help please, or say who can help ?

          Best regards
          Pulsar33

          Aquaris BQ E5 HD UBports OTA-25 (currently testing features)
          Aquaris BQ E5 HD Ubuntu Edition Canonical OTA-15 (last Canonical version, daily use)
          Raspberry Pi 4 B - 4 GB & 8 GB with various OS and Desktops (UBports not OK)

          1 Reply Last reply Reply Quote 0
          • H Offline
            hoh61
            last edited by 9 Jun 2018, 09:33

            @Pulsar33 : I would not consider this app as a core app yet. For my impression it would be primarily a little support tool for developers to check the proper implementation of the apparmor settings and highlight multiple versions of their apps, or help impacted users to find it out. Since I observe this on my tablet too, I would rise the question for a combined uninstall/install procedure for updates installed via clickable.
            One can think about an extension which allows the user to remove (only) right gained for the application (e.g. network access gained for an application without network access from the user), but here some specialties of apparmor has to be taken into account. Removal of access right can only be activated after a restart of the apparmor daemon (root access necessary) or after a reboot of the device. This capability would provide a major benefit to the user and make the for me app a candidate for a core app.

            J 1 Reply Last reply 10 Jun 2018, 16:19 Reply Quote 0
            • J Offline
              jezek @hoh61
              last edited by 10 Jun 2018, 16:19

              @hoh61 and where can I find the app you mention? Thanks.

              jEzEk

              1 Reply Last reply Reply Quote 0
              • H Offline
                hoh61
                last edited by hoh61 6 Nov 2018, 20:17 11 Jun 2018, 19:34

                It's in the open store yet.

                And some comments on the confinement/sandbox topic itself.
                On my M10 FHD with the original ubuntu image the system was running having an LXC container for all applications. By this approach the system tasks were separated from the user tasks, but unfortunately a very excessive access environment deeded to build up. I was not able to install network access to my home network using samba.

                The actual UBport implementation is completely different. On the device the apps are running as normal user apps, only restricted by the rules implemented with apparmor. This is not much different to desktop computers except that on my Desktop computer I have 22 rules while on the touch device I count 64. Without a good UI this can be an easy source of errors .

                Docker (in clickable) and LXC (in ubuntu sdk) are used for development purposes only to encapulate the target environment from the development host. Actually I found nothing comparable on the touch device (except a fragment for an LXC android container).

                An yes, the most irritating issue is the media hub server. I started to understand the concept, but I'm still at the beginning.

                J D D 3 Replies Last reply 12 Jun 2018, 03:27 Reply Quote 0
                • J Offline
                  jezek @hoh61
                  last edited by 12 Jun 2018, 03:27

                  @hoh61 oh hoh it's this permyhoh. Thank you.

                  jEzEk

                  1 Reply Last reply Reply Quote 0
                  • D Offline
                    doniks @hoh61
                    last edited by 12 Jun 2018, 04:54

                    modules:composer.user_said_in, @hoh61, Confinement / Sandboxes

                    And some comments on the confinement/sandbox topic itself.
                    On my M10 FHD with the original ubuntu image the system was running having an LXC container for all applications. By this approach the system tasks were separated from the user tasks, but unfortunately a very excessive access environment deeded to build up. I was not able to install network access to my home network using samba.

                    The actual UBport implementation is completely different. On the device the apps are running as normal user apps, only restricted by the rules implemented with apparmor. This is not much different to desktop computers except that on my Desktop computer I have 22 rules while on the touch device I count 64. Without a good UI this can be an easy source of errors .

                    are you sure? i don't think I've seen this lxc container for applications. do you mean for regular apps? the ones installed from the app store.

                    i have the feeling, if ubports had changed such a significant piece of the platform, i would have heard about it

                    or do you mean desktop applications? they went into a container, but also there i have only ever seen chroot containers even though there was talk about lxc there

                    1 Reply Last reply Reply Quote 0
                    • D Offline
                      DanChapman @hoh61
                      last edited by 12 Jun 2018, 07:00

                      @hoh61 That's not correct. Applications are run exactly the same now as they were in the original ubuntu image. Just confined processes using apparmor. As you noted though there is an minimal android container which is the only usage of lxc (unless you install anbox).

                      Support Dekko development: https://www.patreon.com/dekkoproject

                      1 Reply Last reply Reply Quote 1
                      • H Offline
                        hoh61
                        last edited by 12 Jun 2018, 18:26

                        Just to make it clear: I'm talking from the original ububtu touch version shipped with the M10 FHD by BQ. This was based on ubuntu 15.10.
                        And you can bite me to hell, there was an LXC container running, separating the system processes from the user area, where all apps were located (no desktop apps, only apps from the ubuntu store!). It drove me crazy that I couldn't add a network access for my samba network. A lot of mountpoints were installed in order to make the container accessible to the root system, for the network access a bridge was installed, ... All these stuff is missing in the actual image for xenial.

                        @doniks : which process is not confined? Have a look at the apparmor settings (sudo aa-status). On my M10fhd there are now 43 profiles found in enforcement mode (before r92 it was 62). All running applications so far are in enforcement mode, except LXC!

                        D 1 Reply Last reply 12 Jun 2018, 19:05 Reply Quote 0
                        • D Offline
                          doniks @hoh61
                          last edited by 12 Jun 2018, 19:05

                          @hoh61 uhhhhm, I'm not convinced. Now, I never held an M10, so I can't say I know, but I'm quite sure.

                          Got some spare time at your hands? Feel like flashing back the vivid version and showing some command line output?

                          1 Reply Last reply Reply Quote 0
                          • H Offline
                            hoh61
                            last edited by 14 Jun 2018, 17:20

                            @doniks : I would stop this discussion here unless we find someone who has a M10 FDH with the lates canonical image in short access. A list of the mountpoints (/etc/mtab) via adb should provide some clarification on this topic. I will not do it, because I would like to get my fireza running, which is still as hard work. In the actual environment I found still a lot of weaknesses and open issues, which I would like to solve step by step. first for myself, hopefully with the help of the community, finally in the hope that I can provide some solutions which will improve some little steps.

                            So if you know somebody who is familiar with atom add-on packages there will be some interesting tasks to work on.

                            M 1 Reply Last reply 14 Jun 2018, 18:20 Reply Quote 1
                            • M Offline
                              Marathon2422 @hoh61
                              last edited by 14 Jun 2018, 18:20

                              @hoh61
                              i have an m10 fhd ML002151 if you need to download UT firmware

                              http://www.mibqyyo.com/en-download/categorias/aquaris-m10-fhd-ubuntu-edition/

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post