UBports Robot Logo UBports Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    AppArmor policy for gnome-keyring

    Scheduled Pinned Locked Moved App Development
    6 Posts 3 Posters 631 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
      Reply
      • Reply as topic
      Log in to reply
      This topic has been deleted. Only users with topic management privileges can see it.
      • klhK Offline
        klh
        last edited by

        Hello.

        I'm trying to develop an app that uses gnome-keyring using qtkeychain, but when running I get an AppArmor policy error:

        Gkr-Message: secret service operation failed: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.108" (uid=32011 pid=25202 comm="testk ") interface="org.freedesktop.DBus.Peer" member="Ping" error name="(unset)" requested_reply="0" destination="org.freedesktop.secrets" (uid=32011 pid=2898 comm="gnome-keyring-daemon --start --components pkcs11,s")

        I don't see any policy groups I could use in the docs. Is this going to be supported?

        I want to store the password to a password manager vault in the keyring so it's possible to unlock it with biometrics/standard system dialog (not sure if that's possible yet since I didn't get that far).

        CiberSheepC dobeyD 2 Replies Last reply Reply Quote 0
        • CiberSheepC Offline
          CiberSheep @klh
          last edited by

          @klh I don't think you can run it if confined.

          One of the apps that uses user authentification (I'm sure it's the same case) is the Terminal

          https://gitlab.com/ubports/apps/terminal-app/-/tree/master/src/plugin/pamauthentication

          Another planet, another time, another universe!

          klhK 1 Reply Last reply Reply Quote 0
          • dobeyD Offline
            dobey @klh
            last edited by

            @klh No, you cannot use gnome-keyring in this way, at the moment.

            There is no integration between gnome-keyring and biometrics, and no way for apps to use biometrics for securing encryption keys or such in the app, currently.

            It would take quite a bit of work to get something usable which can do all of these things, while also not exposing the keyring of one app, to any other apps which can talk to the keyring.

            1 Reply Last reply Reply Quote 0
            • klhK Offline
              klh @CiberSheep
              last edited by klh

              @cibersheep That's a bummer, as a user I could expect unconfined in a terminal app, but definitely not a password manager (checked PAM too, same problem, works when unconfined).

              @dobey For some reason I thought gnome-keyring used PAM for authentication, but that's completely wrong (and looking at a bug report for it makes me wonder if it should be even possible).

              As for isolating them, maybe each app could request an isolated keyring just for this one app? I'd be up for trying to implement something like that, but I'd need some pointers since I just started getting into UBports and the amount of code to look though is high.

              I guess the app in question will be more secure than convenient 😄

              dobeyD 1 Reply Last reply Reply Quote 0
              • dobeyD Offline
                dobey @klh
                last edited by

                @klh said in AppArmor policy for gnome-keyring:

                As for isolating them, maybe each app could request an isolated keyring just for this one app?

                It's not that easy, as gnome-keyring itself doesn't have any method for isolating access from apps. It would be quite a large amount of work to implement something, I think.

                klhK 1 Reply Last reply Reply Quote 0
                • klhK Offline
                  klh @dobey
                  last edited by

                  @dobey Looks like it should be possible with AppArmorDBus?

                  Since each collection in the secrets service has a path (https://specifications.freedesktop.org/secret-service/latest/ch12.html) and AppArmor can be used to enable only a specific path.

                  Then we would get something like the Keystore APIs on iOS/Android? With a nice bonus that with a system app for keyring access you would be able to look through the saved data of all applications.

                  I'll try making a policy later and make a PR/MR if it works.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post