UBports Robot Logo UBports Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    AppArmor policy for gnome-keyring

    Scheduled Pinned Locked Moved App Development
    6 Posts 3 Posters 526 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • klhK
      klh
      last edited by

      Hello.

      I'm trying to develop an app that uses gnome-keyring using qtkeychain, but when running I get an AppArmor policy error:

      Gkr-Message: secret service operation failed: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.108" (uid=32011 pid=25202 comm="testk ") interface="org.freedesktop.DBus.Peer" member="Ping" error name="(unset)" requested_reply="0" destination="org.freedesktop.secrets" (uid=32011 pid=2898 comm="gnome-keyring-daemon --start --components pkcs11,s")

      I don't see any policy groups I could use in the docs. Is this going to be supported?

      I want to store the password to a password manager vault in the keyring so it's possible to unlock it with biometrics/standard system dialog (not sure if that's possible yet since I didn't get that far).

      CiberSheepC dobeyD 2 Replies Last reply Reply Quote 0
      • CiberSheepC
        CiberSheep @klh
        last edited by

        @klh I don't think you can run it if confined.

        One of the apps that uses user authentification (I'm sure it's the same case) is the Terminal

        https://gitlab.com/ubports/apps/terminal-app/-/tree/master/src/plugin/pamauthentication

        Another planet, another time, another universe!

        klhK 1 Reply Last reply Reply Quote 0
        • dobeyD
          dobey @klh
          last edited by

          @klh No, you cannot use gnome-keyring in this way, at the moment.

          There is no integration between gnome-keyring and biometrics, and no way for apps to use biometrics for securing encryption keys or such in the app, currently.

          It would take quite a bit of work to get something usable which can do all of these things, while also not exposing the keyring of one app, to any other apps which can talk to the keyring.

          1 Reply Last reply Reply Quote 0
          • klhK
            klh @CiberSheep
            last edited by klh

            @cibersheep That's a bummer, as a user I could expect unconfined in a terminal app, but definitely not a password manager (checked PAM too, same problem, works when unconfined).

            @dobey For some reason I thought gnome-keyring used PAM for authentication, but that's completely wrong (and looking at a bug report for it makes me wonder if it should be even possible).

            As for isolating them, maybe each app could request an isolated keyring just for this one app? I'd be up for trying to implement something like that, but I'd need some pointers since I just started getting into UBports and the amount of code to look though is high.

            I guess the app in question will be more secure than convenient 😃

            dobeyD 1 Reply Last reply Reply Quote 0
            • dobeyD
              dobey @klh
              last edited by

              @klh said in AppArmor policy for gnome-keyring:

              As for isolating them, maybe each app could request an isolated keyring just for this one app?

              It's not that easy, as gnome-keyring itself doesn't have any method for isolating access from apps. It would be quite a large amount of work to implement something, I think.

              klhK 1 Reply Last reply Reply Quote 0
              • klhK
                klh @dobey
                last edited by

                @dobey Looks like it should be possible with AppArmorDBus?

                Since each collection in the secrets service has a path (https://specifications.freedesktop.org/secret-service/latest/ch12.html) and AppArmor can be used to enable only a specific path.

                Then we would get something like the Keystore APIs on iOS/Android? With a nice bonus that with a system app for keyring access you would be able to look through the saved data of all applications.

                I'll try making a policy later and make a PR/MR if it works.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post