Work to integrate with Ubuntu SDK, developer tools and delivery

Registered by Jamie Strandboge on 2013-03-28

Acceptance criteria for May:
Goal: Developers are able to put a security manifest file in a source package such that when the package is built and installed, the application runs confined.

Acceptance criteria for June:
Goal: Users can install the ubuntu-calculator-app with application isolation in effect

Accptance criteria for July:
Goal: Developers are able to choose application isolation policies (policy groups) for an initial set of developer APIs (ie, initial set is defined with policy written)
Goal: Users are able to install a click package with AppArmor integration

Accptance criteria for August:
Goal: Users are able to run applications with DBus rules in effect

Blueprint information

Status:
Complete
Approver:
Jamie Strandboge
Priority:
High
Drafter:
Marc Deslauriers
Direction:
Approved
Assignee:
Steve Beattie
Definition:
Approved
Series goal:
Accepted for saucy
Implementation:
Implemented
Milestone target:
milestone icon ubuntu-13.10
Started by
Jamie Strandboge on 2013-05-30
Completed by
Jamie Strandboge on 2013-10-17

Related branches

Sprints

Whiteboard

= Preliminary thoughts =
 * SDK team provides GUI for developer to pick and choose permissions and producing a manifest file
 * python library takes manifest file and converts to confinement profile (for now, just the apparmor profile). This library is used by developer tools and server code. It should use use easyprof and do the following based on the contents of the manifest file:
  * choose between (at least) 3 templates: native QML, HTML5 and PhoneGap
  * build up easyprof arguments for (at least) --template, --name, --author, --copyright, --comment and an permissions (--abstractions, --policy-groups)
  * also build up arguments for --read-path and --write-path. For now should match install paths and not be user configurable via the manifest file (ie, when run in developer mode, the SDK can specify various paths for running locally, but on server it will use installation locations. If SDK has a build Ubuntu package option, it should create a package that uses the server mode code to inject a profile into the package)
 * Could also provide 'usandbox' for app developers. It would be a standalone, simple application that takes the manifest file, uses the python library to convert to a confinement profile and executes the program within that confinement (use with '-i' to install the apparmor profile via sudo).
 * security manifest file should be machine readable as well as human-editable (eg, json, xml, .ini)
  * DECISION per sprint - will use json and it will be a subsection of a larger combined json file

jdstrand: other work items TBD based on sprint
jdstrand: work items pulled forward from https://blueprints.launchpad.net/ubuntu/+spec/foundations-r-dh-apparmortemplate

jdstrand, 2013-05-06> based on sprint, should try to use binfmt for qml files. If qml files need a header, then SDK team needs to talk to upstream Qt. Non-ideal solution is to modify qmlscene (or its counterpart) to use aa_changeprofile/aa-exec

jdstrand, 2013-05-30> will use upstart for application launch. See https://blueprints.launchpad.net/ubuntu/+spec/foundations-1305-upstart-app-launching

jdstrand, 2013-06-14> idea for how to regenerate profiles when templates and policy groups change: initially, when easyprof is updated, it unconditionally regenerates all profiles. later, easyprof could be smart about what it needs to update and only update things that need to be regenerated. Perhaps create an ubuntu-easyprof-templates package that ships the templates and policy groups and when it is upgraded, profiles are regenerated

jdstrand, 2013-06-28> Unity doesn't properly launch applications when using 'Exec=aa-exec -p <profile> qmlscene <path to>.qml' in the .desktop file. Investigating, but this isn't the way we will launch applications anyway, so it might be shelved.

jdstrand, 2013-07-02> ship abstractions in apparmor-easyprof-ubuntu?

jdstrand, 2013-07-02> should templates use /etc/apparmor.d/local?

Perf results: standard apparmor options, ubuntu-sdk template for files/net
- grouper: ~3.85s/profile (3+ minutes for 50 apps)
- mako: ~3.1s/profile (2.5+ minutes for 50 apps)
- saucy amd64 kvm: ~1.4s/profile (1+ minutes for 50 apps)

(?)

Work Items

Work items for ubuntu-13.05:
[mdeslaur] work with Unity team on setting an environment variable via the app launcher to indicate the application is running under confinement (will be set via upstart job): DONE
[mdeslaur] define application confinements paths for writes (will use XDG_DATA_HOME and XDG_CONFIG_HOME): DONE
[mdeslaur] explore different ways to make qml files executable: DONE
[mdeslaur] explore different ways to make html5 files executable: DONE

Work items for ubuntu-13.06:
[sbeattie] Get aa-easyprof to read json manifest with easyprof syntax as an alternative to command line parameters: DONE
[jdstrand] finish testcases and add --profile-name to easyprof: DONE
[jdstrand] discuss with stakeholders (mdeslaur) structure and keywords for manifest file: DONE
[jdstrand] provide example security manifest file to SDK team: DONE
[sbeattie] update dh_apparmor to take manifest file and run easyprof: DONE
[sbeattie] implement aa-easyprof template and policy groups for SDK native app for files/caps/net: DONE
[jdstrand] upload updated easyprof and policy for SDK native app to saucy: DONE
[sbeattie] ubuntu-calculator-app runs under application isolation using aa-exec in the .desktop file via Debian packaging: DONE
[jdstrand] implment aa-easyprof template and policy groups for SDK HTML5 app for files/caps/net: DONE
[jdstrand] upload updated easyprof and policy for HTML5 app to saucy: DONE
[jdstrand] support policy versions in easyprof: DONE

Work items for ubuntu-13.07:
[sbeattie] discuss with stakeholders (mdeslaur) initial set of exposed SDK policies (easyprof policygroups): DONE
[jdstrand] provide apparmor-easyprof-ubuntu package to ship versioned policy: DONE
[jdstrand] write evilapp to test confinement: DONE
[jdstrand] evilapp runs under application isolation via Click hook: DONE
[jdstrand] document steps for how to use the security manifest file, aa-easyprof, apparmor_parser and the app launcher for developers of the SDK: DONE
[jdstrand] document steps for app developers on how to create a security manifest file and use it to test their applications under confinement: DONE
[sbeattie] write apparmor click package hook (run easyprof, load profile): DONE
[sbeattie] SDK app runs under application isolation via Click packaging: DONE
[sbeattie] example HTML5 app runs under application isolation via Click packaging: DONE
[jdstrand] update apparmor to not pull in perl-modules (due to aa-exec): DONE
[sbeattie] handle click package install of apparmor policy on read-only images: DONE
[jdstrand] adjust apparmor to load policy from read/write area of touch images: DONE

Work items for ubuntu-13.08:
[jdstrand] implement aa-easyprof template and policy groups for PhoneGap app for files/caps/net: DONE
[jdstrand] lint tool for verifying security manifest file: DONE
[jdstrand] test policy regeneration with hundreds of manifests: DONE
[jdstrand] properly handle click hook when apparmor is not enabled/available: DONE
[jdstrand] implement policy groups for initial set of exposed SDK policies: DONE

Work items for ubuntu-13.09:
[jdstrand] discuss with stakeholders final set of exposed SDK policies (easyprof policygroups): DONE
[jdstrand] implement policy groups for final set of exposed SDK policies: DONE
[jdstrand] devise how to deal with device specific accesses: DONE
[jdstrand] implement way to trigger policy regeneration for when easyprof templates or policy groups change: DONE
[bzoltan] implement interface for app developers to define their security manifest file: DONE
[jdstrand] give ted list of variables that are in the templates for HUD policy groups, etc: DONE
[kalikiana] adjust SDK to use application confinements paths (ie, fix application-confinement tagged bugs): DONE

Work items for ubuntu-13.10:
[mdeslaur] audit apparmor ubuntu abstractions and SDK templates and policy groups for final 1.0 version of the policy: DONE
[sergiusens] ubuntu-calculator-app runs under application isolation on phablet images: DONE

Work items for later:
[sbeattie] handle easyprof policy verification when apparmor is not enabled/available: POSTPONED
[jdstrand] add --dbus-path option to apparmor-easyprof: POSTPONED
[jdstrand] add smoke tests to evilapp to run on touch images: POSTPONED

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.

Subscribers

No subscribers.