Application Confinement (Content Access Helper)
Application isolation ensures that applications can only access the data that is required to run. Often data needs opportunistic access. Eg, a photo application needs access to an image file for upload. We should provide a helper to enable confined applications to access files and other content selected by the user.
UPDATE: this BP is superseded by https:/
Blueprint information
- Status:
- Complete
- Approver:
- Jamie Strandboge
- Priority:
- Undefined
- Drafter:
- Marc Deslauriers
- Direction:
- Approved
- Assignee:
- Tyler Hicks
- Definition:
- Superseded
- Series goal:
- None
- Implementation:
-
Not started
- Milestone target:
- None
- Started by
- Completed by
- Jamie Strandboge
Whiteboard
Application isolation ensures that applications can only access the data that is required to run. Often data needs opportunistic access. Eg, a photo application needs access to an image file for upload. We should provide a helper to enable confined applications to access files and other content selected by the user.
Requirements for first iteration:
- file type specific (eg, photos, contacts, etc) with different handlers
1. files
2. photos (needs design)
3. contacts
- need to be able to handle different backends
- need to be able to handle multiple files of same type
- as toolkit agnostic as possible
Future:
- Legacy applications and file selector: could patch gtk to invoke helper
Other helpers need an api that developers would program to
Code to be written:
- trusted helper daemon
- library for API (getFile, getContact, get...)
Questions:
- saving
- how do you save a contact?
- Is the permission grant temporary, or persistent for the sandbox?
- ie. next time the application is launched, or after a reboot is the extended access remembered
- Is the grant of new permission local to the task or a sandbox?
- this is irrelavent if each application gets its own sandbox but if the sandbox can be shared...
Prior art:
- iOS does source review for applications that need access to files out of the sandbox
- Android has an API, but can access anything on the shared drive and anywhere in its sandbox
- OS X sandbox: has a trusted helper
- http://
- new Windows 8 has something like a trusted helper
- Some similar design work going on at GNOME: https:/
2 parts:
1. API (needs to be defined). Eg the developer wants to upload a picture, or access a contact.
- define by list of mimetypes
2. How to integrate this with apparmor
- hard link file into directory where there is access (with cleanup)
- new functionality in apparmor to dynamically update the profile
- object delegation
- transfer file over dbus
- helper itself could provide a socket and the helper could shove data into the other end
Work Items
Work items for later:
[mterry] implement content selector daemon/library with filechooser as first API: POSTPONED
[tyhicks] implement apparmor integration in content selector daemon (medium) (3): POSTPONED
[tyhicks] package content selector daemon and library and upload to Ubuntu (medium) (1): POSTPONED
[jjohansen] extend apparmor language for different content types (medium) (3): POSTPONED
[jjohansen] language regression tests for different content types (medium) (1): POSTPONED
[tyhicks] regression tests for apparmor integration into content selector (medium) (1): POSTPONED
[mdeslaur] help define dbus interface (medium) (2): POSTPONED
[mdeslaur] decide on how to expand the permissions (medium) (2): POSTPONED
