| 2014-04-07 18:59:25 |
Jamie Strandboge |
bug |
|
|
added bug |
| 2014-04-07 19:00:46 |
Jamie Strandboge |
description |
media-hub and mediascanner are separate processes from apps and are used to play and scan music and video files respectively. Up until now, apps would have to use the music_files_read or video_files_read reserved policy groups to access this files. These policy groups are reserved and not available to normal apps to prevent information leaks (this user has this video installed) and theft (can access the music and video directly). media-hub and mediascanner are helpers that apps can use and they should integrate with the trust store.
ApStore apps:
1. should not be able to access, play or otherwise enumerate other apps' media (ie, app 'foo' should not be able to play the facebook app's sound file
2. AppStore apps should be able to enumerate the global music (~/Music) and video (~/Video) library via the mediascanner helper with permission from the user
3. AppStore apps should be able to play the global music (~/Music) and video (~/Video) library via the media-hub with permission from the user
4. AppStore apps should be able to have access to media files with permission from the user. This is already handled by the content-hub paradigm (though someone would need to add a media content provider for the content-hub to have this work)
Both media-hub and mediascanner should do something like the below pseudo code:
apparmor_profile = aa_getcon() # from libapparmor-dev
pkgname = apparmor_profile.split('_')[0]
if apparmor_profile == unconfined: # unconfined apps can access all the files
allow access
elif playback_file in ~/.local/share/$pkgname/... or playback_file in ~/.cache/$pkgname/..: # apps can access their own files
allow access
elif $pkgname can access playback_file in trust store: # apps can access the files if user said so previously
allow access
elif playback_file in ~/Music:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Music
allow access
else:
deny access
elif playback_file in ~/Videos:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Videos
allow access
else:
deny access
else:
deny access
To have the best user experience and prevent multiple prompting, mediascanner and media-hub should use the same trust store database. I'm not sure that mediascanner2 offers a DBus API for enumerating global media files yet or not (music-app seems to be accessing files in ~/.cache/media-art/ and ~/.cache/mediascanner directly).
Until this is added, I will temporarily add access to the reserved policy groups for access to the media-hub DBus API and mediascanner files so that the music-app can run confined but with reserved policy groups. Once the media-hub and mediascanner are implemented with the trust store, these we can add the mediascanner and media-hub DBus APIs to the audio and video common policy groups. |
media-hub and mediascanner are separate processes from apps and are used to play and scan music and video files respectively. Up until now, apps would have to use the music_files_read or video_files_read reserved policy groups to access media. The problem is, these policy groups are reserved and not available to normal AppStore apps in order to prevent information leaks (this user has this video installed) and theft (can access the music and video directly). The path forward is that media-hub and mediascanner are helpers that apps can use and they should integrate with the trust store.
AppStore apps:
1. should not be able to access, play or otherwise enumerate other apps' media (ie, app 'foo' should not be able to play the facebook app's sound file
2. AppStore apps should be able to enumerate the global music (~/Music) and video (~/Video) library via the mediascanner helper with permission from the user
3. AppStore apps should be able to play the global music (~/Music) and video (~/Video) library via the media-hub with permission from the user
4. AppStore apps should be able to have access to media files with permission from the user. This is already handled by the content-hub paradigm (though someone would need to add a media content provider for the content-hub to have this work)
Both media-hub and mediascanner should do something like the below pseudo code:
apparmor_profile = aa_getcon() # from libapparmor-dev
pkgname = apparmor_profile.split('_')[0]
if apparmor_profile == unconfined: # unconfined apps can access all the files
allow access
elif playback_file in ~/.local/share/$pkgname/... or playback_file in ~/.cache/$pkgname/..: # apps can access their own files
allow access
elif $pkgname can access playback_file in trust store: # apps can access the files if user said so previously
allow access
elif playback_file in ~/Music:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Music
allow access
else:
deny access
elif playback_file in ~/Videos:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Videos
allow access
else:
deny access
else:
deny access
To have the best user experience and prevent multiple prompting, mediascanner and media-hub should use the same trust store database. I'm not sure that mediascanner2 offers a DBus API for enumerating global media files yet or not (music-app seems to be accessing files in ~/.cache/media-art/ and ~/.cache/mediascanner directly).
Until this is added, I will temporarily add access to the reserved policy groups for access to the media-hub DBus API and mediascanner files so that the music-app can run confined but with reserved policy groups. Once the media-hub and mediascanner are implemented with the trust store, these we can add the mediascanner and media-hub DBus APIs to the audio and video common policy groups. |
|
| 2014-04-07 19:03:05 |
Jamie Strandboge |
description |
media-hub and mediascanner are separate processes from apps and are used to play and scan music and video files respectively. Up until now, apps would have to use the music_files_read or video_files_read reserved policy groups to access media. The problem is, these policy groups are reserved and not available to normal AppStore apps in order to prevent information leaks (this user has this video installed) and theft (can access the music and video directly). The path forward is that media-hub and mediascanner are helpers that apps can use and they should integrate with the trust store.
AppStore apps:
1. should not be able to access, play or otherwise enumerate other apps' media (ie, app 'foo' should not be able to play the facebook app's sound file
2. AppStore apps should be able to enumerate the global music (~/Music) and video (~/Video) library via the mediascanner helper with permission from the user
3. AppStore apps should be able to play the global music (~/Music) and video (~/Video) library via the media-hub with permission from the user
4. AppStore apps should be able to have access to media files with permission from the user. This is already handled by the content-hub paradigm (though someone would need to add a media content provider for the content-hub to have this work)
Both media-hub and mediascanner should do something like the below pseudo code:
apparmor_profile = aa_getcon() # from libapparmor-dev
pkgname = apparmor_profile.split('_')[0]
if apparmor_profile == unconfined: # unconfined apps can access all the files
allow access
elif playback_file in ~/.local/share/$pkgname/... or playback_file in ~/.cache/$pkgname/..: # apps can access their own files
allow access
elif $pkgname can access playback_file in trust store: # apps can access the files if user said so previously
allow access
elif playback_file in ~/Music:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Music
allow access
else:
deny access
elif playback_file in ~/Videos:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Videos
allow access
else:
deny access
else:
deny access
To have the best user experience and prevent multiple prompting, mediascanner and media-hub should use the same trust store database. I'm not sure that mediascanner2 offers a DBus API for enumerating global media files yet or not (music-app seems to be accessing files in ~/.cache/media-art/ and ~/.cache/mediascanner directly).
Until this is added, I will temporarily add access to the reserved policy groups for access to the media-hub DBus API and mediascanner files so that the music-app can run confined but with reserved policy groups. Once the media-hub and mediascanner are implemented with the trust store, these we can add the mediascanner and media-hub DBus APIs to the audio and video common policy groups. |
media-hub and mediascanner are separate processes from apps and are used to play and scan music and video files respectively. Up until now, apps would have to use the music_files_read or video_files_read reserved policy groups to access media. The problem is, these policy groups are reserved and not available to normal AppStore apps in order to prevent information leaks (this user has this video installed) and theft (can access the music and video directly). The path forward is that media-hub and mediascanner are helpers that apps can use and they should integrate with the trust store.
AppStore apps:
1. should not be able to access, play or otherwise enumerate other apps' media (ie, app 'foo' should not be able to play the facebook app's sound file
2. AppStore apps should be able to enumerate the global music (~/Music) and video (~/Video) library via the mediascanner helper with permission from the user
3. AppStore apps should be able to play the global music (~/Music) and video (~/Video) library via the media-hub with permission from the user
4. AppStore apps should be able to have access to media files with permission from the user. This is already handled by the content-hub paradigm (though someone would need to add a media content provider for the content-hub to have this work)
Both media-hub and mediascanner should do something like the below pseudo code:
apparmor_profile = aa_getcon() # from libapparmor-dev
pkgname = apparmor_profile.split('_')[0]
if apparmor_profile == unconfined: # unconfined apps can access all the files
allow access
elif playback_file in ~/.local/share/$pkgname/... or playback_file in ~/.cache/$pkgname/..: # apps can access their own files
allow access
elif $pkgname can access playback_file in trust store: # apps can access the files if user said so previously
allow access
elif playback_file in ~/Music:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Music
allow access
else:
deny access
elif playback_file in ~/Videos:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Videos
allow access
else:
deny access
else:
deny access
To have the best user experience and prevent multiple prompting, mediascanner and media-hub should use the same trust store database. I'm not sure that mediascanner2 offers a DBus API for enumerating global media files yet or not (music-app seems to be accessing files in ~/.cache/media-art/ and ~/.cache/mediascanner directly).
Until this is added, I will temporarily add access to the reserved policy groups for access to the media-hub DBus API and mediascanner files so that the music-app can run confined but with reserved policy groups. Once the media-hub and mediascanner are implemented with the trust store, then we can add the mediascanner and media-hub DBus APIs to the audio and video common policy groups and make media-hub and mediascanner available to all apps. |
|
| 2014-04-07 19:03:21 |
Jamie Strandboge |
tags |
|
application-confinement |
|
| 2014-04-07 19:03:34 |
Jamie Strandboge |
bug task added |
|
apparmor-easyprof-ubuntu (Ubuntu) |
|
| 2014-04-07 19:04:00 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu): status |
New |
Confirmed |
|
| 2014-04-07 19:04:08 |
Jamie Strandboge |
mediascanner2 (Ubuntu): importance |
Undecided |
High |
|
| 2014-04-07 19:04:14 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu): importance |
Undecided |
High |
|
| 2014-04-07 19:08:40 |
Jamie Strandboge |
description |
media-hub and mediascanner are separate processes from apps and are used to play and scan music and video files respectively. Up until now, apps would have to use the music_files_read or video_files_read reserved policy groups to access media. The problem is, these policy groups are reserved and not available to normal AppStore apps in order to prevent information leaks (this user has this video installed) and theft (can access the music and video directly). The path forward is that media-hub and mediascanner are helpers that apps can use and they should integrate with the trust store.
AppStore apps:
1. should not be able to access, play or otherwise enumerate other apps' media (ie, app 'foo' should not be able to play the facebook app's sound file
2. AppStore apps should be able to enumerate the global music (~/Music) and video (~/Video) library via the mediascanner helper with permission from the user
3. AppStore apps should be able to play the global music (~/Music) and video (~/Video) library via the media-hub with permission from the user
4. AppStore apps should be able to have access to media files with permission from the user. This is already handled by the content-hub paradigm (though someone would need to add a media content provider for the content-hub to have this work)
Both media-hub and mediascanner should do something like the below pseudo code:
apparmor_profile = aa_getcon() # from libapparmor-dev
pkgname = apparmor_profile.split('_')[0]
if apparmor_profile == unconfined: # unconfined apps can access all the files
allow access
elif playback_file in ~/.local/share/$pkgname/... or playback_file in ~/.cache/$pkgname/..: # apps can access their own files
allow access
elif $pkgname can access playback_file in trust store: # apps can access the files if user said so previously
allow access
elif playback_file in ~/Music:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Music
allow access
else:
deny access
elif playback_file in ~/Videos:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Videos
allow access
else:
deny access
else:
deny access
To have the best user experience and prevent multiple prompting, mediascanner and media-hub should use the same trust store database. I'm not sure that mediascanner2 offers a DBus API for enumerating global media files yet or not (music-app seems to be accessing files in ~/.cache/media-art/ and ~/.cache/mediascanner directly).
Until this is added, I will temporarily add access to the reserved policy groups for access to the media-hub DBus API and mediascanner files so that the music-app can run confined but with reserved policy groups. Once the media-hub and mediascanner are implemented with the trust store, then we can add the mediascanner and media-hub DBus APIs to the audio and video common policy groups and make media-hub and mediascanner available to all apps. |
media-hub and mediascanner are separate processes from apps and are used to play and scan music and video files respectively. Up until now, apps would have to use the music_files_read or video_files_read reserved policy groups to access media. The problem is, these policy groups are reserved and not available to normal AppStore apps in order to prevent information leaks (this user has this video installed) and theft (can access the music and video directly). The path forward is that media-hub and mediascanner are helpers that apps can use and they should integrate with the trust store.
AppStore apps:
1. should not be able to access, play or otherwise enumerate other apps' media (ie, app 'foo' should not be able to play the facebook app's sound file
2. AppStore apps should be able to enumerate the global music (~/Music) and video (~/Video) library via the mediascanner helper with permission from the user
3. AppStore apps should be able to play the global music (~/Music) and video (~/Video) library via the media-hub with permission from the user
4. AppStore apps should be able to have access to media files with permission from the user. This is already handled by the content-hub paradigm (though someone would need to add a media content provider for the content-hub to have this work)
Both media-hub and mediascanner should do something like the below pseudo code:
apparmor_profile = aa_getcon() # from libapparmor-dev
pkgname = apparmor_profile.split('_')[0]
if apparmor_profile == unconfined: # unconfined apps can access all the files
allow access
elif playback_file in ~/.local/share/$pkgname/... or playback_file in ~/.cache/$pkgname/..: # apps can access their own files
allow access
elif $pkgname can access playback_file in trust store: # apps can access the files if user said so previously
allow access
elif playback_file in ~/Music:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Music
allow access
else:
deny access
elif playback_file in ~/Videos:
answer = prompt user for access to global video files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Videos
allow access
else:
deny access
else:
deny access
To have the best user experience and prevent multiple prompting, mediascanner and media-hub should use the same trust store database. I'm not sure that mediascanner2 offers a DBus API for enumerating global media files yet or not (music-app seems to be accessing files in ~/.cache/media-art/ and ~/.cache/mediascanner directly).
Until this is added, I will temporarily add access to the reserved policy groups for access to the media-hub DBus API and mediascanner files so that the music-app can run confined but with reserved policy groups. Once the media-hub and mediascanner are implemented with the trust store, then we can add the mediascanner and media-hub DBus APIs to the audio and video common policy groups and make media-hub and mediascanner available to all apps. |
|
| 2014-04-07 19:16:43 |
Jamie Strandboge |
description |
media-hub and mediascanner are separate processes from apps and are used to play and scan music and video files respectively. Up until now, apps would have to use the music_files_read or video_files_read reserved policy groups to access media. The problem is, these policy groups are reserved and not available to normal AppStore apps in order to prevent information leaks (this user has this video installed) and theft (can access the music and video directly). The path forward is that media-hub and mediascanner are helpers that apps can use and they should integrate with the trust store.
AppStore apps:
1. should not be able to access, play or otherwise enumerate other apps' media (ie, app 'foo' should not be able to play the facebook app's sound file
2. AppStore apps should be able to enumerate the global music (~/Music) and video (~/Video) library via the mediascanner helper with permission from the user
3. AppStore apps should be able to play the global music (~/Music) and video (~/Video) library via the media-hub with permission from the user
4. AppStore apps should be able to have access to media files with permission from the user. This is already handled by the content-hub paradigm (though someone would need to add a media content provider for the content-hub to have this work)
Both media-hub and mediascanner should do something like the below pseudo code:
apparmor_profile = aa_getcon() # from libapparmor-dev
pkgname = apparmor_profile.split('_')[0]
if apparmor_profile == unconfined: # unconfined apps can access all the files
allow access
elif playback_file in ~/.local/share/$pkgname/... or playback_file in ~/.cache/$pkgname/..: # apps can access their own files
allow access
elif $pkgname can access playback_file in trust store: # apps can access the files if user said so previously
allow access
elif playback_file in ~/Music:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Music
allow access
else:
deny access
elif playback_file in ~/Videos:
answer = prompt user for access to global video files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Videos
allow access
else:
deny access
else:
deny access
To have the best user experience and prevent multiple prompting, mediascanner and media-hub should use the same trust store database. I'm not sure that mediascanner2 offers a DBus API for enumerating global media files yet or not (music-app seems to be accessing files in ~/.cache/media-art/ and ~/.cache/mediascanner directly).
Until this is added, I will temporarily add access to the reserved policy groups for access to the media-hub DBus API and mediascanner files so that the music-app can run confined but with reserved policy groups. Once the media-hub and mediascanner are implemented with the trust store, then we can add the mediascanner and media-hub DBus APIs to the audio and video common policy groups and make media-hub and mediascanner available to all apps. |
media-hub and mediascanner are separate processes from apps and are used to play and scan music and video files respectively. Up until now, apps would have to use the music_files_read or video_files_read reserved policy groups to access media. The problem is, these policy groups are reserved and not available to normal AppStore apps in order to prevent information leaks (this user has this video installed) and theft (can access the music and video directly). The path forward is that media-hub and mediascanner are helpers that apps can use and they should integrate with the trust store.
AppStore apps:
1. should not be able to access, play or otherwise enumerate other apps' media (ie, app 'foo' should not be able to play the facebook app's sound file
2. AppStore apps should be able to enumerate the global music (~/Music) and video (~/Video) library via the mediascanner helper with permission from the user
3. AppStore apps should be able to play the global music (~/Music) and video (~/Video) library via the media-hub with permission from the user
4. AppStore apps should be able to have access to media files with permission from the user. This is already handled by the content-hub paradigm (though someone would need to add a media content provider for the content-hub to have this work)
Both media-hub and mediascanner should do something like the below pseudo code:
# see 'man aa_getcon()' from libapparmor-dev for more info
apparmor_profile = org.freedesktop.DBus.GetConnectionAppArmorSecurityContext()
pkgname = apparmor_profile.split('_')[0]
if apparmor_profile == unconfined: # unconfined apps can access all the files
allow access
elif playback_file in ~/.local/share/$pkgname/... or playback_file in ~/.cache/$pkgname/..: # apps can access their own files
allow access
elif $pkgname can access playback_file in trust store: # apps can access the files if user said so previously
allow access
elif playback_file in ~/Music:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Music
allow access
else:
deny access
elif playback_file in ~/Videos:
answer = prompt user for access to global video files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Videos
allow access
else:
deny access
else:
deny access
To have the best user experience and prevent multiple prompting, mediascanner and media-hub should use the same trust store database. I'm not sure that mediascanner2 offers a DBus API for enumerating global media files yet or not (music-app seems to be accessing files in ~/.cache/media-art/ and ~/.cache/mediascanner directly).
Until this is added, I will temporarily add access to the reserved policy groups for access to the media-hub DBus API and mediascanner files so that the music-app can run confined but with reserved policy groups. Once the media-hub and mediascanner are implemented with the trust store, then we can add the mediascanner and media-hub DBus APIs to the audio and video common policy groups and make media-hub and mediascanner available to all apps. |
|
| 2014-04-07 19:18:50 |
Ricardo Salveti |
bug |
|
|
added subscriber Ricardo Salveti |
| 2014-04-07 19:19:43 |
Tyler Hicks |
description |
media-hub and mediascanner are separate processes from apps and are used to play and scan music and video files respectively. Up until now, apps would have to use the music_files_read or video_files_read reserved policy groups to access media. The problem is, these policy groups are reserved and not available to normal AppStore apps in order to prevent information leaks (this user has this video installed) and theft (can access the music and video directly). The path forward is that media-hub and mediascanner are helpers that apps can use and they should integrate with the trust store.
AppStore apps:
1. should not be able to access, play or otherwise enumerate other apps' media (ie, app 'foo' should not be able to play the facebook app's sound file
2. AppStore apps should be able to enumerate the global music (~/Music) and video (~/Video) library via the mediascanner helper with permission from the user
3. AppStore apps should be able to play the global music (~/Music) and video (~/Video) library via the media-hub with permission from the user
4. AppStore apps should be able to have access to media files with permission from the user. This is already handled by the content-hub paradigm (though someone would need to add a media content provider for the content-hub to have this work)
Both media-hub and mediascanner should do something like the below pseudo code:
# see 'man aa_getcon()' from libapparmor-dev for more info
apparmor_profile = org.freedesktop.DBus.GetConnectionAppArmorSecurityContext()
pkgname = apparmor_profile.split('_')[0]
if apparmor_profile == unconfined: # unconfined apps can access all the files
allow access
elif playback_file in ~/.local/share/$pkgname/... or playback_file in ~/.cache/$pkgname/..: # apps can access their own files
allow access
elif $pkgname can access playback_file in trust store: # apps can access the files if user said so previously
allow access
elif playback_file in ~/Music:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Music
allow access
else:
deny access
elif playback_file in ~/Videos:
answer = prompt user for access to global video files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Videos
allow access
else:
deny access
else:
deny access
To have the best user experience and prevent multiple prompting, mediascanner and media-hub should use the same trust store database. I'm not sure that mediascanner2 offers a DBus API for enumerating global media files yet or not (music-app seems to be accessing files in ~/.cache/media-art/ and ~/.cache/mediascanner directly).
Until this is added, I will temporarily add access to the reserved policy groups for access to the media-hub DBus API and mediascanner files so that the music-app can run confined but with reserved policy groups. Once the media-hub and mediascanner are implemented with the trust store, then we can add the mediascanner and media-hub DBus APIs to the audio and video common policy groups and make media-hub and mediascanner available to all apps. |
media-hub and mediascanner are separate processes from apps and are used to play and scan music and video files respectively. Up until now, apps would have to use the music_files_read or video_files_read reserved policy groups to access media. The problem is, these policy groups are reserved and not available to normal AppStore apps in order to prevent information leaks (this user has this video installed) and theft (can access the music and video directly). The path forward is that media-hub and mediascanner are helpers that apps can use and they should integrate with the trust store.
AppStore apps:
1. should not be able to access, play or otherwise enumerate other apps' media (ie, app 'foo' should not be able to play the facebook app's sound file
2. AppStore apps should be able to enumerate the global music (~/Music) and video (~/Video) library via the mediascanner helper with permission from the user
3. AppStore apps should be able to play the global music (~/Music) and video (~/Video) library via the media-hub with permission from the user
4. AppStore apps should be able to have access to media files with permission from the user. This is already handled by the content-hub paradigm (though someone would need to add a media content provider for the content-hub to have this work)
Both media-hub and mediascanner should do something like the below pseudo code:
# see 'man aa_getcon()' from libapparmor-dev for more info
# conn_name is the unique D-Bus connection name of the application connecting
# to media-hub/mediascanner
apparmor_profile = org.freedesktop.DBus.GetConnectionAppArmorSecurityContext(conn_name)
pkgname = apparmor_profile.split('_')[0]
if apparmor_profile == unconfined: # unconfined apps can access all the files
allow access
elif playback_file in ~/.local/share/$pkgname/... or playback_file in ~/.cache/$pkgname/..: # apps can access their own files
allow access
elif $pkgname can access playback_file in trust store: # apps can access the files if user said so previously
allow access
elif playback_file in ~/Music:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Music
allow access
else:
deny access
elif playback_file in ~/Videos:
answer = prompt user for access to global video files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Videos
allow access
else:
deny access
else:
deny access
To have the best user experience and prevent multiple prompting, mediascanner and media-hub should use the same trust store database. I'm not sure that mediascanner2 offers a DBus API for enumerating global media files yet or not (music-app seems to be accessing files in ~/.cache/media-art/ and ~/.cache/mediascanner directly).
Until this is added, I will temporarily add access to the reserved policy groups for access to the media-hub DBus API and mediascanner files so that the music-app can run confined but with reserved policy groups. Once the media-hub and mediascanner are implemented with the trust store, then we can add the mediascanner and media-hub DBus APIs to the audio and video common policy groups and make media-hub and mediascanner available to all apps. |
|
| 2014-04-14 19:51:59 |
Jim Hodapp |
bug task added |
|
media-hub |
|
| 2014-04-14 19:52:09 |
Jim Hodapp |
media-hub: assignee |
|
Jim Hodapp (jhodapp) |
|
| 2014-04-14 19:52:20 |
Jim Hodapp |
media-hub: importance |
Undecided |
High |
|
| 2014-04-14 19:52:28 |
Jim Hodapp |
media-hub: status |
New |
In Progress |
|
| 2014-04-14 19:52:44 |
Jim Hodapp |
mediascanner2 (Ubuntu): status |
New |
Confirmed |
|
| 2014-04-14 20:22:19 |
Jim Hodapp |
bug |
|
|
added subscriber Jim Hodapp |
| 2014-04-15 20:17:49 |
Jim Hodapp |
media-hub: status |
In Progress |
Fix Committed |
|
| 2014-04-30 15:04:31 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/utopic-proposed/apparmor-easyprof-ubuntu |
|
| 2014-04-30 15:39:50 |
Launchpad Janitor |
apparmor-easyprof-ubuntu (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2014-05-01 12:23:51 |
Jim Hodapp |
branch linked |
|
lp:~phablet-team/media-hub/media-hub-condensed |
|
| 2014-05-02 12:42:16 |
Jamie Strandboge |
summary |
please integrate mediascanner2 and media-hub with trust-store |
please integrate mediascanner2 and media-hub with apparmor |
|
| 2014-05-02 13:08:19 |
Jamie Strandboge |
description |
media-hub and mediascanner are separate processes from apps and are used to play and scan music and video files respectively. Up until now, apps would have to use the music_files_read or video_files_read reserved policy groups to access media. The problem is, these policy groups are reserved and not available to normal AppStore apps in order to prevent information leaks (this user has this video installed) and theft (can access the music and video directly). The path forward is that media-hub and mediascanner are helpers that apps can use and they should integrate with the trust store.
AppStore apps:
1. should not be able to access, play or otherwise enumerate other apps' media (ie, app 'foo' should not be able to play the facebook app's sound file
2. AppStore apps should be able to enumerate the global music (~/Music) and video (~/Video) library via the mediascanner helper with permission from the user
3. AppStore apps should be able to play the global music (~/Music) and video (~/Video) library via the media-hub with permission from the user
4. AppStore apps should be able to have access to media files with permission from the user. This is already handled by the content-hub paradigm (though someone would need to add a media content provider for the content-hub to have this work)
Both media-hub and mediascanner should do something like the below pseudo code:
# see 'man aa_getcon()' from libapparmor-dev for more info
# conn_name is the unique D-Bus connection name of the application connecting
# to media-hub/mediascanner
apparmor_profile = org.freedesktop.DBus.GetConnectionAppArmorSecurityContext(conn_name)
pkgname = apparmor_profile.split('_')[0]
if apparmor_profile == unconfined: # unconfined apps can access all the files
allow access
elif playback_file in ~/.local/share/$pkgname/... or playback_file in ~/.cache/$pkgname/..: # apps can access their own files
allow access
elif $pkgname can access playback_file in trust store: # apps can access the files if user said so previously
allow access
elif playback_file in ~/Music:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Music
allow access
else:
deny access
elif playback_file in ~/Videos:
answer = prompt user for access to global video files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Videos
allow access
else:
deny access
else:
deny access
To have the best user experience and prevent multiple prompting, mediascanner and media-hub should use the same trust store database. I'm not sure that mediascanner2 offers a DBus API for enumerating global media files yet or not (music-app seems to be accessing files in ~/.cache/media-art/ and ~/.cache/mediascanner directly).
Until this is added, I will temporarily add access to the reserved policy groups for access to the media-hub DBus API and mediascanner files so that the music-app can run confined but with reserved policy groups. Once the media-hub and mediascanner are implemented with the trust store, then we can add the mediascanner and media-hub DBus APIs to the audio and video common policy groups and make media-hub and mediascanner available to all apps. |
media-hub and mediascanner are separate processes from apps and are used to play and scan music and video files respectively. Up until now, apps would have to use the music_files_read or video_files_read reserved policy groups to access media. The problem is, these policy groups are reserved and not available to normal AppStore apps in order to prevent information leaks (this user has this video installed) and theft (can access the music and video directly). The path forward is that media-hub and mediascanner are helpers that apps can use and they should integrate with the trust store.
AppStore apps:
1. should be able to access their own content (installed or local)
2. should not be able to access, play or otherwise enumerate other apps' media (ie, app 'foo' should not be able to play the facebook app's sound file
3. AppStore apps should be able to enumerate the global music (~/Music) and video (~/Video) library via the mediascanner helper with permission from the user
4. AppStore apps should be able to play the global music (~/Music) and video (~/Video) library via the media-hub with permission from the user
5. AppStore apps should be able to have access to media files with permission from the user. This is already handled by the content-hub paradigm (though someone would need to add a media content provider for the content-hub to have this work)
Both media-hub and mediascanner should do something like the below pseudo code:
# see 'man aa_getcon()' from libapparmor-dev for more info
# conn_name is the unique D-Bus connection name of the application connecting
# to media-hub/mediascanner
apparmor_profile = org.freedesktop.DBus.GetConnectionAppArmorSecurityContext(conn_name)
pkgname = apparmor_profile.split('_')[0]
if apparmor_profile == unconfined: # unconfined apps can access all the files
allow access
elif playback_file in ~/.local/share/$pkgname/... or playback_file in ~/.cache/$pkgname/..: # apps can access their own files
allow access
elif $pkgname can access playback_file in trust store: # apps can access the files if user said so previously
allow access
elif playback_file in ~/Music:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Music
allow access
else:
deny access
elif playback_file in ~/Videos:
answer = prompt user for access to global video files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Videos
allow access
else:
deny access
else:
deny access
To have the best user experience and prevent multiple prompting, mediascanner and media-hub should use the same trust store database. I'm not sure that mediascanner2 offers a DBus API for enumerating global media files yet or not (music-app seems to be accessing files in ~/.cache/media-art/ and ~/.cache/mediascanner directly).
UPDATE: 2014-05-02
media-hub implemented '1' and '2' already (should not be able to access, play or otherwise enumerate other apps' media (ie, app 'foo' should not be able to play the facebook app's sound file)) and was marked Fix Released. Trust store integration ('3' and '4') is now being tracked in bug #1315381.
mediascanner2 still needs to implement '1' and '2'. The 'audio' and 'video' policy groups will *not* add this access at this time. Instead, apps can use 'read_path' as part of their policy to have access to the mediascanner files. This is workable fir the music app, but will block other apps from inclusion in the app store. |
|
| 2014-05-02 13:12:18 |
Jamie Strandboge |
description |
media-hub and mediascanner are separate processes from apps and are used to play and scan music and video files respectively. Up until now, apps would have to use the music_files_read or video_files_read reserved policy groups to access media. The problem is, these policy groups are reserved and not available to normal AppStore apps in order to prevent information leaks (this user has this video installed) and theft (can access the music and video directly). The path forward is that media-hub and mediascanner are helpers that apps can use and they should integrate with the trust store.
AppStore apps:
1. should be able to access their own content (installed or local)
2. should not be able to access, play or otherwise enumerate other apps' media (ie, app 'foo' should not be able to play the facebook app's sound file
3. AppStore apps should be able to enumerate the global music (~/Music) and video (~/Video) library via the mediascanner helper with permission from the user
4. AppStore apps should be able to play the global music (~/Music) and video (~/Video) library via the media-hub with permission from the user
5. AppStore apps should be able to have access to media files with permission from the user. This is already handled by the content-hub paradigm (though someone would need to add a media content provider for the content-hub to have this work)
Both media-hub and mediascanner should do something like the below pseudo code:
# see 'man aa_getcon()' from libapparmor-dev for more info
# conn_name is the unique D-Bus connection name of the application connecting
# to media-hub/mediascanner
apparmor_profile = org.freedesktop.DBus.GetConnectionAppArmorSecurityContext(conn_name)
pkgname = apparmor_profile.split('_')[0]
if apparmor_profile == unconfined: # unconfined apps can access all the files
allow access
elif playback_file in ~/.local/share/$pkgname/... or playback_file in ~/.cache/$pkgname/..: # apps can access their own files
allow access
elif $pkgname can access playback_file in trust store: # apps can access the files if user said so previously
allow access
elif playback_file in ~/Music:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Music
allow access
else:
deny access
elif playback_file in ~/Videos:
answer = prompt user for access to global video files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Videos
allow access
else:
deny access
else:
deny access
To have the best user experience and prevent multiple prompting, mediascanner and media-hub should use the same trust store database. I'm not sure that mediascanner2 offers a DBus API for enumerating global media files yet or not (music-app seems to be accessing files in ~/.cache/media-art/ and ~/.cache/mediascanner directly).
UPDATE: 2014-05-02
media-hub implemented '1' and '2' already (should not be able to access, play or otherwise enumerate other apps' media (ie, app 'foo' should not be able to play the facebook app's sound file)) and was marked Fix Released. Trust store integration ('3' and '4') is now being tracked in bug #1315381.
mediascanner2 still needs to implement '1' and '2'. The 'audio' and 'video' policy groups will *not* add this access at this time. Instead, apps can use 'read_path' as part of their policy to have access to the mediascanner files. This is workable fir the music app, but will block other apps from inclusion in the app store. |
media-hub and mediascanner are separate processes from apps and are used to play and scan music and video files respectively. Up until now, apps would have to use the music_files_read or video_files_read reserved policy groups to access media. The problem is, these policy groups are reserved and not available to normal AppStore apps in order to prevent information leaks (this user has this video installed) and theft (can access the music and video directly). The path forward is that media-hub and mediascanner are helpers that apps can use and they should integrate with the trust store.
AppStore apps:
1. should be able to access their own content (installed or local)
2. should not be able to access, play or otherwise enumerate other apps' media (ie, app 'foo' should not be able to play the facebook app's sound file
3. AppStore apps should be able to enumerate the global music (~/Music) and video (~/Video) library via the mediascanner helper with permission from the user
4. AppStore apps should be able to play the global music (~/Music) and video (~/Video) library via the media-hub with permission from the user
5. AppStore apps should be able to have access to media files with permission from the user. This is already handled by the content-hub paradigm (though someone would need to add a media content provider for the content-hub to have this work)
Both media-hub and mediascanner should do something like the below pseudo code:
# see 'man aa_getcon()' from libapparmor-dev for more info
# conn_name is the unique D-Bus connection name of the application connecting
# to media-hub/mediascanner
apparmor_profile = org.freedesktop.DBus.GetConnectionAppArmorSecurityContext(conn_name)
pkgname = apparmor_profile.split('_')[0]
if apparmor_profile == unconfined: # unconfined apps can access all the files
allow access
elif playback_file in ~/.local/share/$pkgname/... or playback_file in ~/.cache/$pkgname/..: # apps can access their own files
allow access
elif $pkgname can access playback_file in trust store: # apps can access the files if user said so previously
allow access
elif playback_file in ~/Music:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Music
allow access
else:
deny access
elif playback_file in ~/Videos:
answer = prompt user for access to global video files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Videos
allow access
else:
deny access
else:
deny access
To have the best user experience and prevent multiple prompting, mediascanner and media-hub should use the same trust store database. I'm not sure that mediascanner2 offers a DBus API for enumerating global media files yet or not (music-app seems to be accessing files in ~/.cache/media-art/ and ~/.cache/mediascanner directly).
UPDATE: 2014-05-02
media-hub implemented '1' and '2' already (can access its own data, but not other apps' data) and was marked Fix Released. Trust store integration ('3' and '4') is now being tracked in bug #1315381.
mediascanner2 still needs to implement '1' and '2'. The 'audio' and 'video' policy groups will *not* add this access at this time. Instead, apps can use 'read_path' as part of their policy to have access to the mediascanner files. This is workable for the music app, but will block other apps from inclusion in the app store. |
|
| 2014-05-12 07:41:07 |
James Henstridge |
bug task added |
|
thumbnailer |
|
| 2014-06-03 14:50:38 |
Jamie Strandboge |
mediascanner2 (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2014-06-03 14:50:43 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu): status |
Fix Released |
In Progress |
|
| 2014-06-05 13:33:58 |
Jamie Strandboge |
apparmor-easyprof-ubuntu (Ubuntu): assignee |
|
Jamie Strandboge (jdstrand) |
|
| 2014-06-05 15:21:05 |
James Henstridge |
mediascanner2 (Ubuntu): assignee |
|
James Henstridge (jamesh) |
|
| 2014-06-06 15:04:53 |
Launchpad Janitor |
apparmor-easyprof-ubuntu (Ubuntu): status |
In Progress |
Fix Released |
|
| 2015-06-28 00:38:26 |
Michi Henning |
thumbnailer: status |
New |
Fix Committed |
|
| 2015-07-16 23:02:51 |
Michi Henning |
thumbnailer: status |
Fix Committed |
Fix Released |
|
| 2015-11-18 16:08:49 |
Jim Hodapp |
bug task added |
|
media-hub (Ubuntu) |
|
| 2015-11-18 16:09:05 |
Jim Hodapp |
media-hub (Ubuntu): status |
New |
Fix Released |
|
| 2015-11-18 16:09:27 |
Jim Hodapp |
bug task added |
|
media-hub (Ubuntu RTM) |
|
| 2015-11-18 16:09:36 |
Jim Hodapp |
bug task deleted |
media-hub |
|
|
| 2015-11-18 16:09:47 |
Jim Hodapp |
media-hub (Ubuntu RTM): status |
New |
Fix Released |
|
