Application Confinement (Content Access Helper)

Registered by Marc Deslauriers on 2012-10-11

Application isolation ensures that applications can only access the data that is required to run. Often data needs opportunistic access. Eg, a photo application needs access to an image file for upload. We should provide a helper to enable confined applications to access files and other content selected by the user.

UPDATE: this BP is superseded by https://blueprints.launchpad.net/ubuntu/+spec/client-1305-content-mgmt-picking

Blueprint information

Status:
Complete
Approver:
Jamie Strandboge
Priority:
Undefined
Drafter:
Marc Deslauriers
Direction:
Approved
Assignee:
Tyler Hicks
Definition:
Superseded
Series goal:
None
Implementation:
Not started
Milestone target:
None
Completed by
Jamie Strandboge on 2013-05-30

Related branches

Sprints

Whiteboard

Application isolation ensures that applications can only access the data that is required to run. Often data needs opportunistic access. Eg, a photo application needs access to an image file for upload. We should provide a helper to enable confined applications to access files and other content selected by the user.
Requirements for first iteration:
- file type specific (eg, photos, contacts, etc) with different handlers
 1. files
 2. photos (needs design)
 3. contacts
- need to be able to handle different backends
- need to be able to handle multiple files of same type
- as toolkit agnostic as possible
Future:
- Legacy applications and file selector: could patch gtk to invoke helper
Other helpers need an api that developers would program to
Code to be written:
- trusted helper daemon
- library for API (getFile, getContact, get...)
Questions:
- saving
 - how do you save a contact?
 - Is the permission grant temporary, or persistent for the sandbox?
   - ie. next time the application is launched, or after a reboot is the extended access remembered
 - Is the grant of new permission local to the task or a sandbox?
   - this is irrelavent if each application gets its own sandbox but if the sandbox can be shared...

Prior art:
- iOS does source review for applications that need access to files out of the sandbox
- Android has an API, but can access anything on the shared drive and anywhere in its sandbox
- OS X sandbox: has a trusted helper
- http://plash.beasts.org/powerbox.html works with gtk, changes file selection to do it
- new Windows 8 has something like a trusted helper
- Some similar design work going on at GNOME: https://live.gnome.org/GTK%2B/ContentSelection, http://afaikblog.wordpress.com/2012/05/10/gnome-design-update-part-two/
2 parts:
1. API (needs to be defined). Eg the developer wants to upload a picture, or access a contact.
 - define by list of mimetypes
2. How to integrate this with apparmor
 - hard link file into directory where there is access (with cleanup)
 - new functionality in apparmor to dynamically update the profile
 - object delegation
 - transfer file over dbus
 - helper itself could provide a socket and the helper could shove data into the other end

(?)

Work Items

Work items for later:
[mterry] implement content selector daemon/library with filechooser as first API: POSTPONED
[tyhicks] implement apparmor integration in content selector daemon (medium) (3): POSTPONED
[tyhicks] package content selector daemon and library and upload to Ubuntu (medium) (1): POSTPONED
[jjohansen] extend apparmor language for different content types (medium) (3): POSTPONED
[jjohansen] language regression tests for different content types (medium) (1): POSTPONED
[tyhicks] regression tests for apparmor integration into content selector (medium) (1): POSTPONED
[mdeslaur] help define dbus interface (medium) (2): POSTPONED
[mdeslaur] decide on how to expand the permissions (medium) (2): POSTPONED