Ubuntu

Provide and example confinement for an Ubuntu SDK application

Registered by Jamie Strandboge

Acceptance criteria for April:
- Goal: AppArmor, SDK and Unity developers are able to use example applications for native Ubuntu SDK QML, HTML5 and PhoneGap apps to exercise our existing confinement implementation
- Goal: Developers are able to use initial easyprof confinement templates to confine QML, HTML5 and PhoneGap apps
- Goal: Unity developers are able to build upon a prototype application launcher for launching SDK applications

The is prerequisite work for our final confinement policy templates.

Blueprint information

Status:
Complete
Approver:
Jamie Strandboge
Priority:
High
Drafter:
Marc Deslauriers
Direction:
Approved
Assignee:
Steve Beattie
Definition:
Approved
Series goal:
Accepted for raring
Implementation:
Implemented
Milestone target:
milestone icon ubuntu-13.04-month-6
Started by
Jamie Strandboge
Completed by
Jamie Strandboge

Related branches

Sprints

Whiteboard

jdstrand> If we can run mir native on a tablet, perhaps adjust the SDK native app to legitimately use the clipboard, screenshot, drag and drop and keyboard sniff. If something isn't working, start conversation with Mir folks on how to get it to work or find it when it will be implemented.
jdstrand> also see https://launchpad.net/~ubuntu-touch-coreapps-drivers/+archive/daily which could potentially be used in lieu of writing an application anew

jdstrand> please see (and elaborate on ;) https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement/Launcher

jdstrand 2013-05-03> based on discussions, the app launcher will be upstart user jobs. One user job will be used and takes an argument for the app. The upstart job should:
 1. document the fact that the upstart jobs provide the initial session environment (ie, at login)
 2. add UBUNTU_APPLICATION_ISOLATION=1 to the job
 3. add a TODO for add GAPPLICATION envvar ted mentioned (LP: #1176127)
 4. document in the job that we can add/clear various variables in the job

(?)

Work Items

Work items:
locate/write a representative HelloNativeConfinment application: DONE
locate/write a representative HelloHTML5Confinement application: DONE
locate/write a representative HelloPhoneGapConfinement application: DONE
create initial aa-easyprof template and policy groups for SDK native app: DONE
create initial aa-easyprof template and policy groups for SDK HTML5 app: DONE
create initial aa-easyprof template and policy groups for PhoneGap app: DONE
prototype (with TODOs) initial app launcher (see ApplicationConfinement spec): POSTPONED
send app launcher prototype to Unity team to discuss next steps: POSTPONED

Dependency tree

* Blueprints in grey have been implemented.

Nearby

This blueprint contains Public information 
Everyone can see this information.