'unconfined' should be precached for trusted helpers
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
location-service (Ubuntu) |
Invalid
|
Critical
|
Unassigned | ||
trust-store (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
ubuntu-system-settings (Ubuntu) |
Invalid
|
Critical
|
Unassigned |
Bug Description
We should not prompt the user for unconfined or allow the user to adjust entries for 'unconfined' processes in System Settings since this might break things in unexpected ways. Marking as Critical and for rtm14 because this is user facing, confusing to have a blank entry, can lead to unexpected behavior, and because it should be easy to precache this.
Steps to reproduce (this resets the location trust-store db):
1. $ stop ubuntu-
2. mv ~/.local/
3. $ start ubuntu-
4. launch webbrowser-app (it is unconfined)
5. navigate to maps.google.com. it will prompt to access location (browser prompt). Say yes
At this point I am presented with a trust session prompt:
"unconfined
An unconfined application wants to access your current location.
Deny
Allow"
6. tap 'Allow'
This adds the following to the trust store:
3|unconfined|
location service shouldn't be prompting for this for the reasons outlined above. Adding location-service task.
This will likely affect camera and mic in 'Other app access'.
Related branches
- Jamie Strandboge: Approve
- Alberto Aguirre (community): Approve
- PS Jenkins bot: Approve (continuous-integration)
- Pete Woods (community): Approve
-
Diff: 331 lines (+247/-1)7 files modifieddebian/libtrust-store1.symbols (+7/-0)
src/CMakeLists.txt (+2/-0)
src/core/trust/daemon.cpp (+5/-1)
src/core/trust/white_listing_agent.cpp (+47/-0)
src/core/trust/white_listing_agent.h (+52/-0)
tests/CMakeLists.txt (+19/-0)
tests/white_listing_agent_test.cpp (+115/-0)
Changed in ubuntu-system-settings (Ubuntu): | |
importance: | Undecided → Critical |
tags: | added: rtm14 |
description: | updated |
description: | updated |
summary: |
- 'unconfined' should not be listed under 'Location access' (or 'Other app - access') + 'unconfined' should be precached and not listed under 'Location access' + (or 'Other app access') |
affects: | trust-store (Ubuntu) → location-service (Ubuntu) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in ubuntu-system-settings (Ubuntu): | |
assignee: | David Barth (dbarth) → nobody |
tags: |
added: touch-2010-10-23 removed: touch-2010-10-09 |
Changed in location-service (Ubuntu): | |
status: | Confirmed → Invalid |
$ sqlite3 ~/.local/ share/UbuntuLoc ationService/ trust.db ace.osmtouch_ OSMTouch_ 0.1.3|0| 140759414398506 2864|1 ms.timppa. googlemaps_ googleMaps_ 0.7.2|0| 140759428424399 7688|1 camera_ camera_ 3.0.0.347| 0|1407762755913 505092| 1 0|1407773425648 433663| 1 app|0|140795335 3319275412| 1 ms.timppa. googlemaps_ googleMaps_ 0.7.2|0| 141061425696468 9451|0 ms.timppa. googlemaps_ googleMaps| 0|1410614280151 138404| 1 developer. frecelto. heremaps_ example| 0|1410614316898 155033| 1 app|0|141061436 9892600319| 0 face.osmtouch_ OSMTouch_ 0.1.3|0| 141061437045332 0599|0 ubuntu. camera_ camera_ 3.0.0.347| 0|1410614372739 327014| 0 face.sensorssta tus_SensorsStat us|0|1410614854 678927136| 0 face.sensorssta tus_SensorsStat us|0|1410614893 678194642| 1 ubuntu. camera_ camera| 0|1410836436824 164955| 1 face.osmtouch_ OSMTouch| 0|1410837518970 472846| 1 popey.forecast_ forecast| 0|1411317182811 928554| 1 ems.timppa. googlemaps_ googleMaps| 0|1411680736314 580089| 0 ems.timppa. googlemaps_ googleMaps| 0|1411680737063 580547| 1 ems.timppa. googlemaps_ googleMaps_ 0.7.2|0| 141168073783067 9586|1 ems.timppa. googlemaps_ googleMaps_ 0.7.2|0| 141168073867233 9895|0 face.osmtouch_ OSMTouch_ 0.1.3|0| 141168080549587 1093|1
sqlite> select * from requests;
1|me.yohanbonif
2|fi.cloudsyste
3|com.ubuntu.
4|unconfined|
5|webbrowser-
6|fi.cloudsyste
7|fi.cloudsyste
8|com.ubuntu.
9|webbrowser-
10|me.yohanboni
11|com.
12|me.yohanboni
13|me.yohanboni
14|com.
15|me.yohanboni
16|com.
17|fi.cloudsyst
18|fi.cloudsyst
19|fi.cloudsyst
20|fi.cloudsyst
21|me.yohanboni