AppArmor is too restrictive for sysinfo apps
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor-easyprof-ubuntu |
New
|
Undecided
|
Unassigned |
Bug Description
Sysinfo apps like AIDA64 needs strictly read-only access to many components of the system, and many underlying files on the filesystem to provide detailed hardware information. The following information cannot be provided right now on Ubuntu Touch OS based mobile devices due to the AppArmor confinement being defined as too strict/restrictive:
- battery details
- temperature measurements
- CPU clock measurement on a per-core basis
- proper OS type+version detection, including OTA release detection
In order to perform those tasks, sysinfo apps would need to have such features implemented as a Qt5 QML class, a Ubuntu-specific QML class, or have access to such facilities via dbus or directly via reading system files managed by the Linux kernel or platform drivers. I'd like to stress the fact that all that access would be strictly read-only, and that in my opinion none of detection methods would jeopardize either system stability, system security or user security in any ways.
I propose the following ways to fix this issue:
1) Let apps freely access the underlying system files that can be used to perform those detections by adding read-only access to the base AppArmor profile. Those files would be:
/sys/class/
/sys/class/
/sys/class/hwmon/* (including subdirectories)
/sys/devices/
/etc/os-release
/etc/media-info
/etc/system-
2) Define a new AppArmor permission named "sysinfo", and let apps use that permission to indicate the need to perform hardware and software detection. Using the new permission apps could read the files I've listed in #1, and maybe even more files that are deemed related to system diagnostics and hardware detection. I can provide an extended list to cover other details like GPU utilization, GPU clock measurement, etc.
3) Convince Qt to port QtMobility to extend the existing QSysInfo QML class with mobile device related detection capabilities.
4) Develop your own Ubuntu QML class, named e.g. Ubuntu.SysInfo to let apps perform those tasks via standard methods, without the need to access system files directly. Could be combined with a new "sysinfo" AppArmor permission.
5) Let apps access dbus methods that can be used to perform similar tasks, for example com.canonical.
Related bug:
https:/
affects: | apparmor → apparmor-easyprof-ubuntu |
One more related bug:
https:/ /bugs.launchpad .net/ubuntu/ +source/ apparmor- easyprof- ubuntu/ +bug/1523483