2013-08-20 22:07:35 |
Jamie Strandboge |
description |
After talking with people on #ubuntu-touch and that their click packages that were created by qtcreator did not work correctly, I examined the manifest noticed that qtcreator is creating the old format of the click manifest which is incompatible with click hooks as defined in click 0.2 and later. This can clearly be see in the Packaging tab of qtcreator, and clicking 'Advanced'. The format is documented here:
http://bazaar.launchpad.net/~click-hackers/click/trunk/view/head:/doc/hooks.rst
https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement/Manifest#Click
Specifically, the 'security' section has been removed. In its place is the 'hooks' security with entries for each application shipped by the app and 'apparmor' and 'desktop' hooks specified under it. The apparmor hook specifies a file relative to the toplevel of the package that contains the security manifest json (which is formatted differently than what is currently in qtcreator). What needs to happen is that the security click manifest moved to a new file and that the click manifest needs to reference it. |
After talking with people on #ubuntu-touch and that their click packages that were created by qtcreator did not work correctly, I examined the manifest noticed that qtcreator is creating the old format of the click manifest which is incompatible with click hooks as defined in click 0.2 and later. This can clearly be see in the Packaging tab of qtcreator, and clicking 'Advanced'. The format is documented here:
http://bazaar.launchpad.net/~click-hackers/click/trunk/view/head:/doc/hooks.rst
https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement/Manifest#Click
Specifically, the 'security' section has been removed. In its place is the 'hooks' security with entries for each application shipped by the app and 'apparmor' and 'desktop' hooks specified under it. The apparmor hook specifies a file relative to the toplevel of the package that contains the security manifest json (which is formatted differently than what is currently in qtcreator). What needs to happen is that the security click manifest moved to a new file and that the click manifest needs to reference it.
For example, if I create an app called 'lp1214623-test-app', this is the current incorrect manifest:
{
...
"name": "com.ubuntu.developer.jdstrand.lp1214623-test-app",
"security": {
"profiles": {
"lp1214623-test-app": {
"policy_groups": [
"networking"
],
"policy_version": 1
}
}
},
"version": "0.1"
}
A corrected manifest would be:
{
...
"name": "com.ubuntu.developer.jdstrand.lp1214623-test-app",
"hooks": {
"lp1214623-test-app": {
"apparmor": "apparmor/lp1214623-test-app.json",
"desktop": "lp1214623-test-app.desktop"
}
},
"version": "0.1"
}
The "desktop" hook should reference the desktop file associated with the "lp1214623-test-app" application relative to the toplevel of the package (qtcreator does this already).
The "apparmor" hook should reference the json security manifest associated with the "lp1214623-test-app" application relative to the toplevel of the package. Before, the security manifest was included in the click manifest, but this was changed to be consistent with other hooks and therefore a new file must be created. Eg, qtcreator should create apparmor/lp1214623-test-app.json with the following contents:
{
"policy_groups": [
"networking"
],
"policy_version": 1.0
}
This means that the Packaging tab will need to accommodate at least two files: the click manifest and the security manifest. Also note that while I suggest putting the security manifest in the apparmor directory, it doesn't have to be. Eg, you could put it in "lp1214623-test-app.security" if desired and adjust the click manifest to have:
{
...
"hooks": {
"lp1214623-test-app": {
"apparmor": "lp1214623-test-app.security",
...
}
When fixing this bug, you will likely want to fix bug #1214618 at the same time (apparmor policy_version is incorrectly set). |
|