Confinement / Sandboxes

Pulsar33

Hello,

@unisuperbox said in Confinement / Sandboxes: > Ubuntu Touch's confinement model means that you already have what you want.

@pulsar33 said in Confinement / Sandboxes: > only used apparmor as it was included in my legacy BQ E5 UT edition (AFAIK), and without modifying the policies.

Thank you for your answer. So if I understand, we definitely have to deal with apparmor which has no GUI and no easy management mean. With my BQ E5 UT, I use Permy (Jamie Strandboge) to look at the permissions of the installed apps. Unfortunately, this application is not available on OpenStore. Moreover, this application was only a viewer and the permission syntax is not so easy to manage.

Following your answer, I'll try to improve my understanding and mainly investigate about the permission granularity. I think that two main goals are to be reached when managing security for a newly installed application :

Fine whitelisting and blacklisting parts of the filesystem
Fine granting or denying network access on an application basis

When I say "Fine" I speak of granularity. I don't know if fine is the right term in english. For example, if I want to install Sensor Status, I have to grant "Networking" for that app. Why ???. I don't want to do so. This is a huge example but there's some finest cases where maybe I'll want to grant local network access but no wide network access, and so on ...

It would be nice for me to clone Permy which has no recent update but at this time, I'm starting the programming course and I'm not fully operational :o))

Permy snapshot

Other feelings and advices are welcome
Best regards
Pulsar33

hoh61

Hello to everybody,

I was struggeling with permissions and permission system on ubuntu touch for several days. When I found this discussion I decided it would be worth to have the permy software running on my device. After some struggeling with the atom environment and the clickable tool I have now a running permy clone(90% of the original source), which, according to this discussion: would be of interest for other people too.
I tried to upload it to the open store, but it was rejected. The click-review process gave a red flag, because this app will read the apparmor profiles (the intention of this app).
Which way do I have (without excessive environment installation) to make this tool available for a larger group?

Pulsar33

@hoh61 : Hello,
I'm happy to see that you started the job and are about to succeed. I hope that some Guru will help you (I'm not able myself to do so at this time, but I try to learn ...).
Moreover, like I said in this thread, I think that this application has to be considered as a core app.
@Flohack @NeoTheThird @UniSuperBox can you help please, or say who can help ?

Best regards
Pulsar33

hoh61

@Pulsar33 : I would not consider this app as a core app yet. For my impression it would be primarily a little support tool for developers to check the proper implementation of the apparmor settings and highlight multiple versions of their apps, or help impacted users to find it out. Since I observe this on my tablet too, I would rise the question for a combined uninstall/install procedure for updates installed via clickable.
One can think about an extension which allows the user to remove (only) right gained for the application (e.g. network access gained for an application without network access from the user), but here some specialties of apparmor has to be taken into account. Removal of access right can only be activated after a restart of the apparmor daemon (root access necessary) or after a reboot of the device. This capability would provide a major benefit to the user and make the for me app a candidate for a core app.

jezek

@hoh61 and where can I find the app you mention? Thanks.

hoh61

It's in the open store yet.

And some comments on the confinement/sandbox topic itself.
On my M10 FHD with the original ubuntu image the system was running having an LXC container for all applications. By this approach the system tasks were separated from the user tasks, but unfortunately a very excessive access environment deeded to build up. I was not able to install network access to my home network using samba.

The actual UBport implementation is completely different. On the device the apps are running as normal user apps, only restricted by the rules implemented with apparmor. This is not much different to desktop computers except that on my Desktop computer I have 22 rules while on the touch device I count 64. Without a good UI this can be an easy source of errors .

Docker (in clickable) and LXC (in ubuntu sdk) are used for development purposes only to encapulate the target environment from the development host. Actually I found nothing comparable on the touch device (except a fragment for an LXC android container).

An yes, the most irritating issue is the media hub server. I started to understand the concept, but I'm still at the beginning.

jezek

@hoh61 oh hoh it's this permyhoh. Thank you.

doniks

modules:composer.user_said_in, @hoh61, Confinement / Sandboxes

And some comments on the confinement/sandbox topic itself.
On my M10 FHD with the original ubuntu image the system was running having an LXC container for all applications. By this approach the system tasks were separated from the user tasks, but unfortunately a very excessive access environment deeded to build up. I was not able to install network access to my home network using samba.

The actual UBport implementation is completely different. On the device the apps are running as normal user apps, only restricted by the rules implemented with apparmor. This is not much different to desktop computers except that on my Desktop computer I have 22 rules while on the touch device I count 64. Without a good UI this can be an easy source of errors .

are you sure? i don't think I've seen this lxc container for applications. do you mean for regular apps? the ones installed from the app store.

i have the feeling, if ubports had changed such a significant piece of the platform, i would have heard about it

or do you mean desktop applications? they went into a container, but also there i have only ever seen chroot containers even though there was talk about lxc there

DanChapman

@hoh61 That's not correct. Applications are run exactly the same now as they were in the original ubuntu image. Just confined processes using apparmor. As you noted though there is an minimal android container which is the only usage of lxc (unless you install anbox).

hoh61

Just to make it clear: I'm talking from the original ububtu touch version shipped with the M10 FHD by BQ. This was based on ubuntu 15.10.
And you can bite me to hell, there was an LXC container running, separating the system processes from the user area, where all apps were located (no desktop apps, only apps from the ubuntu store!). It drove me crazy that I couldn't add a network access for my samba network. A lot of mountpoints were installed in order to make the container accessible to the root system, for the network access a bridge was installed, ... All these stuff is missing in the actual image for xenial.

@doniks : which process is not confined? Have a look at the apparmor settings (sudo aa-status). On my M10fhd there are now 43 profiles found in enforcement mode (before r92 it was 62). All running applications so far are in enforcement mode, except LXC!

doniks

@hoh61 uhhhhm, I'm not convinced. Now, I never held an M10, so I can't say I know, but I'm quite sure.

Got some spare time at your hands? Feel like flashing back the vivid version and showing some command line output?

hoh61

@doniks : I would stop this discussion here unless we find someone who has a M10 FDH with the lates canonical image in short access. A list of the mountpoints (/etc/mtab) via adb should provide some clarification on this topic. I will not do it, because I would like to get my fireza running, which is still as hard work. In the actual environment I found still a lot of weaknesses and open issues, which I would like to solve step by step. first for myself, hopefully with the help of the community, finally in the hope that I can provide some solutions which will improve some little steps.

So if you know somebody who is familiar with atom add-on packages there will be some interesting tasks to work on.

Marathon2422

@hoh61
i have an m10 fhd ML002151 if you need to download UT firmware

http://www.mibqyyo.com/en-download/categorias/aquaris-m10-fhd-ubuntu-edition/