media-hub and mediascanner are separate processes from apps and are used to play and scan music and video files respectively. Up until now, apps would have to use the music_files_read or video_files_read reserved policy groups to access this files. These policy groups are reserved and not available to normal apps to prevent information leaks (this user has this video installed) and theft (can access the music and video directly). media-hub and mediascanner are helpers that apps can use and they should integrate with the trust store.
ApStore apps:
1. should not be able to access, play or otherwise enumerate other apps' media (ie, app 'foo' should not be able to play the facebook app's sound file
2. AppStore apps should be able to enumerate the global music (~/Music) and video (~/Video) library via the mediascanner helper with permission from the user
3. AppStore apps should be able to play the global music (~/Music) and video (~/Video) library via the media-hub with permission from the user
4. AppStore apps should be able to have access to media files with permission from the user. This is already handled by the content-hub paradigm (though someone would need to add a media content provider for the content-hub to have this work)
Both media-hub and mediascanner should do something like the below pseudo code:
apparmor_profile = aa_getcon() # from libapparmor-dev
pkgname = apparmor_profile.split('_')[0]
if apparmor_profile == unconfined: # unconfined apps can access all the files
allow access
elif playback_file in ~/.local/share/$pkgname/... or playback_file in ~/.cache/$pkgname/..: # apps can access their own files
allow access
elif $pkgname can access playback_file in trust store: # apps can access the files if user said so previously
allow access
elif playback_file in ~/Music:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Music
allow access
else:
deny access
elif playback_file in ~/Videos:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Videos
allow access
else:
deny access
else:
deny access
To have the best user experience and prevent multiple prompting, mediascanner and media-hub should use the same trust store database. I'm not sure that mediascanner2 offers a DBus API for enumerating global media files yet or not (music-app seems to be accessing files in ~/.cache/media-art/ and ~/.cache/mediascanner directly).
Until this is added, I will temporarily add access to the reserved policy groups for access to the media-hub DBus API and mediascanner files so that the music-app can run confined but with reserved policy groups. Once the media-hub and mediascanner are implemented with the trust store, these we can add the mediascanner and media-hub DBus APIs to the audio and video common policy groups.
media-hub and mediascanner are separate processes from apps and are used to play and scan music and video files respectively. Up until now, apps would have to use the music_files_read or video_files_read reserved policy groups to access this files. These policy groups are reserved and not available to normal apps to prevent information leaks (this user has this video installed) and theft (can access the music and video directly). media-hub and mediascanner are helpers that apps can use and they should integrate with the trust store.
ApStore apps:
1. should not be able to access, play or otherwise enumerate other apps' media (ie, app 'foo' should not be able to play the facebook app's sound file
2. AppStore apps should be able to enumerate the global music (~/Music) and video (~/Video) library via the mediascanner helper with permission from the user
3. AppStore apps should be able to play the global music (~/Music) and video (~/Video) library via the media-hub with permission from the user
4. AppStore apps should be able to have access to media files with permission from the user. This is already handled by the content-hub paradigm (though someone would need to add a media content provider for the content-hub to have this work)
Both media-hub and mediascanner should do something like the below pseudo code:
apparmor_profile = aa_getcon() # from libapparmor-dev profile. split(' _')[0] share/$ pkgname/ ... or playback_file in ~/.cache/ $pkgname/ ..: # apps can access their own files
pkgname = apparmor_
if apparmor_profile == unconfined: # unconfined apps can access all the files
allow access
elif playback_file in ~/.local/
allow access
elif $pkgname can access playback_file in trust store: # apps can access the files if user said so previously
allow access
elif playback_file in ~/Music:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Music
allow access
else:
deny access
elif playback_file in ~/Videos:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Videos
allow access
else:
deny access
else:
deny access
To have the best user experience and prevent multiple prompting, mediascanner and media-hub should use the same trust store database. I'm not sure that mediascanner2 offers a DBus API for enumerating global media files yet or not (music-app seems to be accessing files in ~/.cache/media-art/ and ~/.cache/ mediascanner directly).
Until this is added, I will temporarily add access to the reserved policy groups for access to the media-hub DBus API and mediascanner files so that the music-app can run confined but with reserved policy groups. Once the media-hub and mediascanner are implemented with the trust store, these we can add the mediascanner and media-hub DBus APIs to the audio and video common policy groups.