Application isolation for Ubuntu
Work for application confinement for Ubuntu application ecosystem
Blueprint information
- Status:
- Complete
- Approver:
- Marc Deslauriers
- Priority:
- High
- Drafter:
- Jamie Strandboge
- Direction:
- Approved
- Assignee:
- Jamie Strandboge
- Definition:
- Approved
- Series goal:
- Accepted for utopic
- Implementation:
- Implemented
- Milestone target:
- ubuntu-14.10
- Started by
- Jamie Strandboge
- Completed by
- Jamie Strandboge
Related branches
Related bugs
Sprints
Whiteboard
jdstrand> work carried over from https:/
jdstrand> appstore submissions: no signing, https verification, not charging, etc
jdstrand> as of 2014-06-17, global media collection, global calendar and global contacts will not be supported for RTM.
jdstrand> 'move hardware/ snippets to lxc-android-config (ie, finish LP: #1197133)' is blocked on phonedations. Per ogra on 2014-07-16, we should be "shipping them per device in the device tarball and bind mount[ing] them on boot"
Work Items
Work items for ubuntu-14.05:
[jdstrand] adjust apparmor-
[jdstrand] adjust click-apparmor for 14.10 (1.2) policy: DONE
[jdstrand] add temporary apparmor policy for mediascanner2 (bug #1319065): DONE
[jdstrand] update apparmor-
[jdstrand] write ubuntu-
[jdstrand] write ubuntu-
Work items for ubuntu-14.06:
[jdstrand] remove temp policy and add real policy for mediascanner2 (LP: #1303962): DONE
[jdstrand] add policy for mediascanner2 service (LP: #1319065): DONE
[jdstrand] investigate limiting ofono access (bug #1296415): DONE
[mdeslaur] review appstore submission and upload process and submit to list: DONE
[thomas-voss] ensure media playback binder service has apparmor integration if needed (contact: tvoss, jhodapp): DONE
[jdstrand] ensure mediascanner2 has trust store integration for access to global media collection (contact: jamesh, LP: #1303962, LP: #1315381, not for RTM): DONE
[jdstrand] ensure media-hub has trust store integration for access to global media collection (LP: #1315381, contact: jhodapp, not for RTM): DONE
[jdstrand] ensure e-d-s has trust store integration for global calendar (contact: bfiller, LP: #1227824, not for RTM): DONE
[jdstrand] ensure address-
[jdstrand] adjust click-apparmor to add APP_PKGNAME_DBUS: DONE
[jdstrand] adjust click-apparmor to add APP_APPNAME: DONE
[tyhicks] review trust session and lp:trust-store for pid/APP_
Work items for ubuntu-14.07:
[tyhicks] review location-service use of lp:trust-store: DONE
[seth-arnold] review trust-store implementation: DONE
[jdstrand] add policy group override (blacklist) functionality: DONE
[jdstrand] add push-notificati
[jdstrand] ensure camera-service has trust store/apparmor integration (LP: #1230366, contact: jhodapp): DONE
[jdstrand] ensure online accounts has mir trusted session support (contact: mardy): DONE
[jdstrand] ensure location-service has trust store integration (contact: tvoss, LP: #1219164): DONE
[jdstrand] ensure pulseaudio has trust store integration (LP: #1224756, contact: tvoss): DONE
[pat-mcgowan] ensure friends has trust store integration if friends is needed (LP: #1231737 - not needed): DONE
[jdstrand] adjust click reviewers tools to be self-contained wrt policy and frameworks: DONE
Work items for ubuntu-14.08:
[tyhicks] adjust apparmor to ship /etc/apparmor/
[seth-arnold] review scopes proxy: POSTPONED
[jdstrand] adjust apparmor-
Work items for later:
[sbeattie] click-apparmor should maybe handle better when apparmor is not enabled/available/ (eg, apparmor disabled, parser uninstalled, in lxc, etc): POSTPONED
[jdstrand] add --dbus-path option to apparmor-easyprof: POSTPONED
[jdstrand] adjust click-apparmor to use libclick: POSTPONED
[jdstrand] create a policy group override daemon: POSTPONED
[jdstrand] create a policy group override GUI: POSTPONED
[jdstrand] move hardware/ snippets to lxc-android-config (ie, finish LP: #1197133): POSTPONED
[jdstrand] add policy for InfographicConf
Dependency tree
* Blueprints in grey have been implemented.