[MIR] ubuntu-advantage-desktop-daemon

I'm going to add the package to the MIR queue review at this point, the testplan wiki should be added in the next days as well as the improved systemd security

This was co-reviewed by @joalif and myself.

Review for Package: src:ubuntu-advantage-desktop-daemon

[Summary]
ubuntu-advantage-desktop-daemon is a rather small, new daemon that is providing
a DBus API for desktop application to talk with the UA client. The daemon is
run as a systemd service (as root), but it applies several isolation techniques
to lock the attack surface down to a minimum.

MIR team ACK under the constraint to resolve the below listed required
TODOs and as much as possible having a look at the recommended TODOs.

This does not need a security review.

List of specific binary packages to be promoted to main: ubuntu-advantage-desktop-daemon
Specific binary packages built, but NOT to be promoted to main: <none>

Notes:
Does not need a security review as the only red flag (root-daemon) is arleady
being mitigated in the systemd service.

Required TODOs:
- The package is installing a binary in
  /usr/lib/x86_64-linux-gnu/ubuntu-advantage-desktop-daemon
  Please let us know if there is any good reason for choosing this location or
  install the file at /usr/libexec instead.

Recommended TODOs:
- The package should get a team bug subscriber before being promoted
- Try further locking down the systemd service (root daemon), e.g. by running it
  under its own (dynamic) user/group: https://0pointer.net/blog/dynamic-users-with-systemd.html

[Duplication]
There is no other package in main providing the same functionality.

[Dependencies]
OK:
- no other Dependencies to MIR due to this
  - checked with check-mir
  - not listed in seeded-in-ubuntu
  - none of the (potentially auto-generated) dependencies (Depends
    and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
   more tests now.

Problems: None

[Embedded sources and static linking]
OK:
- no embedded source present
- no static linking
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard
- No vendoring used, all Built-Using are in main

Problems: None

[Security]
OK:
- history of CVEs does not look concerning (the package is pretty new, though,
  first published in Dec, 2021)
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats
- does not open a port/socket
- does not process arbitrary web content
- does not integrate arbitrary javascript into the desktop
- does not deal with system authentication (eg, pam), etc)
- does not deal with security attestation (secure boot, tpm, signatures)

Problems:
- uses centralized online accounts, but that's the intended purpose of UA
- does run a daemon as root, but uses systemd security features to confine it
  I wonder if that could be further confined by making it run in its own
  (dynamic) user and group.
  c.f. https://www.freedesktop.org/software/systemd/man/systemd.exec.html#User/Group%20Identity

[Common blockers]
OK:
- does not FTBFS currently
- does have a test suite that runs at build time
  - test suite fails will fail the build upon error.
- does not have test suite that runs as autopkgtest, but manual test plan is ...

> Please let us know if there is any good reason for choosing this location or install the file at /usr/libexec instead.

We don't specify the location, it's coming from debhelper and the default for the compat level we are using, which we are using as stated in the description to be able to backport the package to older series without modifications.

If you consider it important to use libexecdir we could add a delta between series to update the compat or change the default

Indeed, I can confirm that building with debhelper compat >= 12 would install the "ubuntu-advantage-desktop-daemon" binary in the correct /usr/libexec directory. So this is a fair tradeoff with good reason (backwards compatibility without introducing a delta). Therefore I'll downgrade this "Required TODO" to a "Recommended TODO".

=> Mir team ACK.

As discussed out-of-band, we should still consider using something like "--libexecdir=/usr/libexec" in debian/rules to install that binary to /usr/libexec in a backwards compatible way, while adhering to Standards-Version: 4.1.5, as being used by this package.

N: Debian adopted the Filesystem Hierarchy Specification (FHS) version 3.0
N: starting with our policy revision 4.1.5. The FHS 3.0 describes
N: /usr/libexec. Please use that location for executables.

Libexec changed in https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-desktop-daemon/1.6

I'm setting it to fix commited now

Override component to main
ubuntu-advantage-desktop-daemon 1.6 in jammy amd64: universe/misc/optional/100% -> main
ubuntu-advantage-desktop-daemon 1.6 in jammy arm64: universe/misc/optional/100% -> main
ubuntu-advantage-desktop-daemon 1.6 in jammy armhf: universe/misc/optional/100% -> main
ubuntu-advantage-desktop-daemon 1.6 in jammy ppc64el: universe/misc/optional/100% -> main
ubuntu-advantage-desktop-daemon 1.6 in jammy riscv64: universe/misc/optional/100% -> main
ubuntu-advantage-desktop-daemon 1.6 in jammy s390x: universe/misc/optional/100% -> main
6 publications overridden.

The source package was not promoted. Doing so now:
Override component to main
ubuntu-advantage-desktop-daemon 1.6 in jammy: universe/misc -> main
Override [y|N]? y
1 publication overridden.

And just as a FYI, we added an issue on github about investigating the suggestion to user another user in the system service

https://github.com/canonical/ubuntu-advantage-desktop-daemon/issues/13