trust-store

please support versionless APP_ID caching/precaching

Bug #1356343 reported by Jamie Strandboge
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
trust-store
Fix Released
Undecided
Thomas Voß
trust-store (Ubuntu)
Fix Released
Critical
Thomas Voß

Bug Description

The trust-store currently caches the full APP_ID. For most trusted helpers this will likely result in too many prompts (eg, an app that is frequently updated will require users to answer questions they previously answered). In addition to a less than ideal user experience, it also desensitizes the user wrt the prompting. We should strive to prompt just enough and at the right time.

Per the security team, trust-store should by default use versionless caching, with the option to use the version for those trusted helpers that may need it. As such, if the APP_ID is '<pkgname>_<appname>_<version>', then by default the user should be prompted for '<pkgname>_<appname>', and this is the value that should be cached. Precaching should also support this. It should be easy for a trusted helper to opt into using a version if that is needed.

Note: versionless caching does mean that an earlier version of an app might have one set of permissions and then a later version might have expanded permissions which could somehow expose the now cached access to information. Users aren't expected to review app security policy though and as such, prompting on version doesn't actually solve this. Users sensitive to this issue are in a position to revoke trust-store permissions and to apply policy group overrides. If it is determined that versionless caching with expanding future permissions is a real concern, the trust-store can be adjusted to cache the click security policy from /var/lib/apparmor/clicks of the connecting app as well, and only reprompt if it changes.

Tags: rtm14

Related branches

lp:~thomas-voss/trust-store/fix-1356343
PS Jenkins bot: Needs Fixing (continuous-integration)
Marcus Tomlinson (community): Approve
Seth Arnold (community): Approve
Diff: 444 lines (+263/-32)
9 files modified
debian/libtrust-store1.symbols (+6/-0)
src/CMakeLists.txt (+4/-0)
src/core/trust/app_id_formatting_trust_agent.cpp (+54/-0)
src/core/trust/app_id_formatting_trust_agent.h (+45/-0)
src/core/trust/daemon.cpp (+4/-3)
tests/CMakeLists.txt (+19/-0)
tests/app_id_formatting_trust_agent_test.cpp (+78/-0)
tests/cached_agent_test.cpp (+3/-29)
tests/the.h (+50/-0)
lp:ubuntu/utopic-proposed/trust-store
Jamie Strandboge (jdstrand)
tags: added: rtm14
Changed in trust-store (Ubuntu):
importance: Undecided → Critical
Thomas Voß (thomas-voss)
Changed in trust-store:
assignee: nobody → Thomas Voß (thomas-voss)
Changed in trust-store (Ubuntu):
assignee: nobody → Thomas Voß (thomas-voss)
status: New → In Progress
Changed in trust-store:
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package trust-store - 1.0.0+14.10.20140826.1-0ubuntu1

---------------
trust-store (1.0.0+14.10.20140826.1-0ubuntu1) utopic; urgency=low

  [ Ubuntu daily release ]
  * debian/libtrust-store1.symbols: auto-update to released version

  [ thomas-voss ]
  * Add an agent implementation that strips off version information, and
    leaves other information intact. (LP: #1356343)
 -- Ubuntu daily release <email address hidden> Tue, 26 Aug 2014 15:11:18 +0000

Changed in trust-store (Ubuntu):
status: In Progress → Fix Released
Thomas Voß (thomas-voss)
Changed in trust-store:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.