Work to integrate with Ubuntu SDK, developer tools and delivery
Acceptance criteria for May:
Goal: Developers are able to put a security manifest file in a source package such that when the package is built and installed, the application runs confined.
Acceptance criteria for June:
Goal: Users can install the ubuntu-
Accptance criteria for July:
Goal: Developers are able to choose application isolation policies (policy groups) for an initial set of developer APIs (ie, initial set is defined with policy written)
Goal: Users are able to install a click package with AppArmor integration
Accptance criteria for August:
Goal: Users are able to run applications with DBus rules in effect
Blueprint information
- Status:
- Complete
- Approver:
- Jamie Strandboge
- Priority:
- High
- Drafter:
- Marc Deslauriers
- Direction:
- Approved
- Assignee:
- Steve Beattie
- Definition:
- Approved
- Series goal:
- Accepted for saucy
- Implementation:
- Implemented
- Milestone target:
- ubuntu-13.10
- Started by
- Jamie Strandboge
- Completed by
- Jamie Strandboge
Related branches
Related bugs
Sprints
Whiteboard
= Preliminary thoughts =
* SDK team provides GUI for developer to pick and choose permissions and producing a manifest file
* python library takes manifest file and converts to confinement profile (for now, just the apparmor profile). This library is used by developer tools and server code. It should use use easyprof and do the following based on the contents of the manifest file:
* choose between (at least) 3 templates: native QML, HTML5 and PhoneGap
* build up easyprof arguments for (at least) --template, --name, --author, --copyright, --comment and an permissions (--abstractions, --policy-groups)
* also build up arguments for --read-path and --write-path. For now should match install paths and not be user configurable via the manifest file (ie, when run in developer mode, the SDK can specify various paths for running locally, but on server it will use installation locations. If SDK has a build Ubuntu package option, it should create a package that uses the server mode code to inject a profile into the package)
* Could also provide 'usandbox' for app developers. It would be a standalone, simple application that takes the manifest file, uses the python library to convert to a confinement profile and executes the program within that confinement (use with '-i' to install the apparmor profile via sudo).
* security manifest file should be machine readable as well as human-editable (eg, json, xml, .ini)
* DECISION per sprint - will use json and it will be a subsection of a larger combined json file
jdstrand: other work items TBD based on sprint
jdstrand: work items pulled forward from https:/
jdstrand, 2013-05-06> based on sprint, should try to use binfmt for qml files. If qml files need a header, then SDK team needs to talk to upstream Qt. Non-ideal solution is to modify qmlscene (or its counterpart) to use aa_changeprofil
jdstrand, 2013-05-30> will use upstart for application launch. See https:/
jdstrand, 2013-06-14> idea for how to regenerate profiles when templates and policy groups change: initially, when easyprof is updated, it unconditionally regenerates all profiles. later, easyprof could be smart about what it needs to update and only update things that need to be regenerated. Perhaps create an ubuntu-
jdstrand, 2013-06-28> Unity doesn't properly launch applications when using 'Exec=aa-exec -p <profile> qmlscene <path to>.qml' in the .desktop file. Investigating, but this isn't the way we will launch applications anyway, so it might be shelved.
jdstrand, 2013-07-02> ship abstractions in apparmor-
jdstrand, 2013-07-02> should templates use /etc/apparmor.
Perf results: standard apparmor options, ubuntu-sdk template for files/net
- grouper: ~3.85s/profile (3+ minutes for 50 apps)
- mako: ~3.1s/profile (2.5+ minutes for 50 apps)
- saucy amd64 kvm: ~1.4s/profile (1+ minutes for 50 apps)
Work Items
Work items for ubuntu-13.05:
[mdeslaur] work with Unity team on setting an environment variable via the app launcher to indicate the application is running under confinement (will be set via upstart job): DONE
[mdeslaur] define application confinements paths for writes (will use XDG_DATA_HOME and XDG_CONFIG_HOME): DONE
[mdeslaur] explore different ways to make qml files executable: DONE
[mdeslaur] explore different ways to make html5 files executable: DONE
Work items for ubuntu-13.06:
[sbeattie] Get aa-easyprof to read json manifest with easyprof syntax as an alternative to command line parameters: DONE
[jdstrand] finish testcases and add --profile-name to easyprof: DONE
[jdstrand] discuss with stakeholders (mdeslaur) structure and keywords for manifest file: DONE
[jdstrand] provide example security manifest file to SDK team: DONE
[sbeattie] update dh_apparmor to take manifest file and run easyprof: DONE
[sbeattie] implement aa-easyprof template and policy groups for SDK native app for files/caps/net: DONE
[jdstrand] upload updated easyprof and policy for SDK native app to saucy: DONE
[sbeattie] ubuntu-
[jdstrand] implment aa-easyprof template and policy groups for SDK HTML5 app for files/caps/net: DONE
[jdstrand] upload updated easyprof and policy for HTML5 app to saucy: DONE
[jdstrand] support policy versions in easyprof: DONE
Work items for ubuntu-13.07:
[sbeattie] discuss with stakeholders (mdeslaur) initial set of exposed SDK policies (easyprof policygroups): DONE
[jdstrand] provide apparmor-
[jdstrand] write evilapp to test confinement: DONE
[jdstrand] evilapp runs under application isolation via Click hook: DONE
[jdstrand] document steps for how to use the security manifest file, aa-easyprof, apparmor_parser and the app launcher for developers of the SDK: DONE
[jdstrand] document steps for app developers on how to create a security manifest file and use it to test their applications under confinement: DONE
[sbeattie] write apparmor click package hook (run easyprof, load profile): DONE
[sbeattie] SDK app runs under application isolation via Click packaging: DONE
[sbeattie] example HTML5 app runs under application isolation via Click packaging: DONE
[jdstrand] update apparmor to not pull in perl-modules (due to aa-exec): DONE
[sbeattie] handle click package install of apparmor policy on read-only images: DONE
[jdstrand] adjust apparmor to load policy from read/write area of touch images: DONE
Work items for ubuntu-13.08:
[jdstrand] implement aa-easyprof template and policy groups for PhoneGap app for files/caps/net: DONE
[jdstrand] lint tool for verifying security manifest file: DONE
[jdstrand] test policy regeneration with hundreds of manifests: DONE
[jdstrand] properly handle click hook when apparmor is not enabled/available: DONE
[jdstrand] implement policy groups for initial set of exposed SDK policies: DONE
Work items for ubuntu-13.09:
[jdstrand] discuss with stakeholders final set of exposed SDK policies (easyprof policygroups): DONE
[jdstrand] implement policy groups for final set of exposed SDK policies: DONE
[jdstrand] devise how to deal with device specific accesses: DONE
[jdstrand] implement way to trigger policy regeneration for when easyprof templates or policy groups change: DONE
[bzoltan] implement interface for app developers to define their security manifest file: DONE
[jdstrand] give ted list of variables that are in the templates for HUD policy groups, etc: DONE
[kalikiana] adjust SDK to use application confinements paths (ie, fix application-
Work items for ubuntu-13.10:
[mdeslaur] audit apparmor ubuntu abstractions and SDK templates and policy groups for final 1.0 version of the policy: DONE
[sergiusens] ubuntu-
Work items for later:
[sbeattie] handle easyprof policy verification when apparmor is not enabled/available: POSTPONED
[jdstrand] add --dbus-path option to apparmor-easyprof: POSTPONED
[jdstrand] add smoke tests to evilapp to run on touch images: POSTPONED
Dependency tree
* Blueprints in grey have been implemented.