Application Confinement (Display Manager)

Registered by Marc Deslauriers on 2012-10-11

Begin implementation strategy for mediating display manager rights with AppArmor. While it is understood that different display managers/servers will require updates and/or design for AppArmor integration, the AppArmor kernel and userspace portions should be display manager-agnostic. Session not required-- work being carried over from previous sprints.

Blueprint information

Status:
Complete
Approver:
Jamie Strandboge
Priority:
High
Drafter:
John Johansen
Direction:
Approved
Assignee:
Steve Beattie
Definition:
Approved
Series goal:
Accepted for raring
Implementation:
Implemented
Milestone target:
milestone icon ubuntu-13.04
Started by
Jamie Strandboge on 2012-11-14
Completed by
Jamie Strandboge on 2013-04-10

Related branches

Sprints

Whiteboard

For monthly planning purposes, some work items were broken out into the following:
https://blueprints.launchpad.net/ubuntu/+spec/appdev-1303-appisolation-display-manager

Not completed/blocked work items moved to:
https://blueprints.launchpad.net/ubuntu/+spec/security-s-appisolation-display-manager

(?)

Work Items

Work items:
[jdstrand] define display manager security requirements (high) (1): DONE
[sbeattie] review design and implementation problems with X (high) (5): DONE
[sbeattie] review alternative display manager designs (eg wayland, etc) (high) (5): DONE
[sbeattie] review prior art/other OS' implementations for confining client applications (high) (5): DONE
[sbeattie] based on the above, identify ideal security design and augment display manager security requirements if needed (high) (2): DONE
[jjohansen] review/approve display manager security requirements from jdstrand and sbeattie (high) (1): DONE
[jjohansen] prototype display manager policy language (high) (2): DONE
[jjohansen] handover test display server implementation to sbeattie (high) (3): DONE
[sbeattie] get test display server implementation building (high) (15): DONE

This blueprint contains Public information 
Everyone can see this information.