[MIR] xdg-desktop-portal

Bug #1749672 reported by Jeremy Bícha
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
xdg-desktop-portal (Ubuntu)
Fix Released
High
Unassigned
Xenial
Fix Released
High
Ken VanDine
Bionic
Fix Released
High
Ken VanDine

Bug Description

Availability
============
In sync with Debian.

Built for all supported architectures.

Rationale
=========
Required for snaps.

Security
========
No known security issues, but due to the nature of this package, a security review is probably needed.

https://security-tracker.debian.org/tracker/source-package/xdg-desktop-portal
https://launchpad.net/xdg-desktop-portal/+cve

Quality assurance
=================
- The Desktop Packages bug team is subscribed.

https://bugs.launchpad.net/ubuntu/+source/xdg-desktop-portal
https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=xdg-desktop-portal
https://github.com/flatpak/xdg-desktop-portal/issues

Upstream build tests (new) are run with dh_auto_test (failure would fail the build).

autopkgtests are passing
https://autopkgtest.ubuntu.com/packages/xdg-desktop-portal
https://ci.debian.net/packages/x/xdg-desktop-portal/unstable/amd64/

Dependencies
============
No universe binary dependencies

Standards compliance
====================
4.1.3

debhelper compat 11, dh 7 style simple rules

Maintenance
===========
- Actively developed upstream. Last release was 0.10 yesterday
https://github.com/flatpak/xdg-desktop-portal/commits/master

Well-maintained in Debian by Simon McVittie (Debian's Flatpak maintainer). Team-maintained.
https://salsa.debian.org/debian/xdg-desktop-portal

Background information
======================
xdg-desktop-portal was originally created to allow Flatpak apps to request access outside the sandbox. It's useful technology that can be used by Snap too, which simplifies work for app developers to support both next generation packaging formats. For instance, see https://blogs.gnome.org/alexl/2018/02/14/moving-a-portal/

See also the MIR xdg-desktop-portal-gtk LP: #1750069.

Presumably, we'll want to backport these packages to be snap dependencies in 16.04 LTS (maybe 14.04 LTS too).

Tags: bionic
Jeremy Bícha (jbicha)
tags: added: bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in xdg-desktop-portal (Ubuntu):
status: New → Confirmed
Jeremy Bícha (jbicha)
description: updated
Jeremy Bícha (jbicha)
description: updated
Nish Aravamudan (nacc)
Changed in xdg-desktop-portal (Ubuntu):
assignee: nobody → Nish Aravamudan (nacc)
Revision history for this message
Nish Aravamudan (nacc) wrote :

Security review needed.

Changed in xdg-desktop-portal (Ubuntu):
assignee: Nish Aravamudan (nacc) → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Nish Aravamudan (nacc) wrote :

This seems fine from a MIR perspective, but needs a security review.

description: updated
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I reviewed xdg-desktop-portal (0.11-2) as checked into cosmic. This is not
a full security audit but rather a quick gauge of maintainability.

I did not audit the design of the permission caching database, nor the
safety of the DBus interface, nor the FUSE implementation. The review was
strictly to gauge the relative costs of maintaining what is already
written.

- no pre,post inst,rm scripts
- no init scripts
- three user systemd unit files, dbus-activated
- no system dbus services
- no setuid files
- no binaries in PATH
- no sudo fragments
- no udev rules
- tests run during the build, many tests, but I'm unsure of coverage
- no cron jobs
- clean build log

- one instance of spawning a process, to unmount a fuse filesystem; it
  uses g_spawn_sync() with an array for argv
- memory management looked careful
- extensive file IO, including a FUSE interface
  - I'm really skeptical of the path rewriting functionality:
    /newroot /app /usr /etc handling
- logging looked fine
- Uses environment variables: XDG_CURRENT_DESKTOP, GIO_USE_VFS,
  PARENT_WINDOW_ID, XDG_RUNTIME_DIR, XDG_DATA_HOME, XDG_RUNTIME_DIR
- Does not use privileged syscalls
- Does not use cryptography
- DBus is used to reach privileged portions of code
- Does not use webkit
- Temporary file handling re-implements mkstemp() and uses the insecure
  RNG filename generator
- Does not use webkit
- Does not directly use javascript
- Two cppcheck errors, both cppcheck failurs
- Does not use polkit

I have to admit I expected far less code for this service than is
here. DBus and FUSE both seem like fairly large surfaces. I expected one
quarter the code and passing file descriptors over unix domain sockets.

The codebase is properly defensive, error returns are consistently
checked, safer interfaces are consistently used over unsafe interfaces,
and the few small things I noticed aren't too unusual for software of this
complexity. It does feel more complex than necessary but I have not myself
tried to implement a similar tool, so perhaps my own mental model is not
yet complete enough.

The few things I found odd:

- allocate_inode_unlocked() if (next <= 0) -- next is unsigned

- xdp_mkstempat() should use a stronger RNG

- main() in document-portal/document-portal.c only does a single fork(),
  skips setsid()

Security team ACK for promoting xdg-desktop-portal to main.

Thanks

Changed in xdg-desktop-portal (Ubuntu):
assignee: Ubuntu Security Team (ubuntu-security) → nobody
Revision history for this message
Matthias Klose (doko) wrote :

this needs seeding or a package referencing it

Changed in xdg-desktop-portal (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Sebastien Bacher (seb128) wrote :

Override component to main
xdg-desktop-portal 1.0.2-1 in cosmic: universe/misc -> main
xdg-desktop-portal 1.0.2-1 in cosmic amd64: universe/admin/optional/100% -> main
xdg-desktop-portal 1.0.2-1 in cosmic arm64: universe/admin/optional/100% -> main
xdg-desktop-portal 1.0.2-1 in cosmic armhf: universe/admin/optional/100% -> main
xdg-desktop-portal 1.0.2-1 in cosmic i386: universe/admin/optional/100% -> main
xdg-desktop-portal 1.0.2-1 in cosmic ppc64el: universe/admin/optional/100% -> main
xdg-desktop-portal 1.0.2-1 in cosmic s390x: universe/admin/optional/100% -> main
Override [y|N]? y
7 publications overridden.

Changed in xdg-desktop-portal (Ubuntu):
importance: Undecided → High
status: Incomplete → Fix Released
Changed in xdg-desktop-portal (Ubuntu Xenial):
assignee: nobody → Ken VanDine (ken-vandine)
Changed in xdg-desktop-portal (Ubuntu Bionic):
assignee: nobody → Ken VanDine (ken-vandine)
Changed in xdg-desktop-portal (Ubuntu Xenial):
importance: Undecided → High
Changed in xdg-desktop-portal (Ubuntu Bionic):
importance: Undecided → High
Changed in xdg-desktop-portal (Ubuntu Xenial):
status: New → Triaged
Changed in xdg-desktop-portal (Ubuntu Bionic):
status: New → Triaged
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Security team ACK for promoting xdg-desktop-portal-gtk and xdg-desktop-portal to main for bionic and xenial.

Thanks

Revision history for this message
Steve Langasek (vorlon) wrote :

Override component to main
xdg-desktop-portal 1.0.3-0ubuntu0.2 in bionic: universe/misc -> main
xdg-desktop-portal 1.0.3-0ubuntu0.2 in bionic amd64: universe/admin/optional/100% -> main
xdg-desktop-portal 1.0.3-0ubuntu0.2 in bionic arm64: universe/admin/optional/100% -> main
xdg-desktop-portal 1.0.3-0ubuntu0.2 in bionic armhf: universe/admin/optional/100% -> main
xdg-desktop-portal 1.0.3-0ubuntu0.2 in bionic i386: universe/admin/optional/100% -> main
xdg-desktop-portal 1.0.3-0ubuntu0.2 in bionic ppc64el: universe/admin/optional/100% -> main
xdg-desktop-portal 1.0.3-0ubuntu0.2 in bionic s390x: universe/admin/optional/100% -> main
xdg-desktop-portal-dev 1.0.3-0ubuntu0.2 in bionic amd64: universe/admin/optional/100% -> main
xdg-desktop-portal-dev 1.0.3-0ubuntu0.2 in bionic arm64: universe/admin/optional/100% -> main
xdg-desktop-portal-dev 1.0.3-0ubuntu0.2 in bionic armhf: universe/admin/optional/100% -> main
xdg-desktop-portal-dev 1.0.3-0ubuntu0.2 in bionic i386: universe/admin/optional/100% -> main
xdg-desktop-portal-dev 1.0.3-0ubuntu0.2 in bionic ppc64el: universe/admin/optional/100% -> main
xdg-desktop-portal-dev 1.0.3-0ubuntu0.2 in bionic s390x: universe/admin/optional/100% -> main
xdg-desktop-portal-tests 1.0.3-0ubuntu0.2 in bionic amd64: universe/admin/optional/100% -> main
xdg-desktop-portal-tests 1.0.3-0ubuntu0.2 in bionic arm64: universe/admin/optional/100% -> main
xdg-desktop-portal-tests 1.0.3-0ubuntu0.2 in bionic armhf: universe/admin/optional/100% -> main
xdg-desktop-portal-tests 1.0.3-0ubuntu0.2 in bionic i386: universe/admin/optional/100% -> main
xdg-desktop-portal-tests 1.0.3-0ubuntu0.2 in bionic ppc64el: universe/admin/optional/100% -> main
xdg-desktop-portal-tests 1.0.3-0ubuntu0.2 in bionic s390x: universe/admin/optional/100% -> main
19 publications overridden.

Changed in xdg-desktop-portal (Ubuntu Bionic):
status: Triaged → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote :

Override component to main
xdg-desktop-portal 1.0.3-0ubuntu0.0 in xenial: universe/admin -> main
xdg-desktop-portal 1.0.3-0ubuntu0.0 in xenial amd64: universe/admin/optional/100% -> main
xdg-desktop-portal 1.0.3-0ubuntu0.0 in xenial arm64: universe/admin/optional/100% -> main
xdg-desktop-portal 1.0.3-0ubuntu0.0 in xenial armhf: universe/admin/optional/100% -> main
xdg-desktop-portal 1.0.3-0ubuntu0.0 in xenial i386: universe/admin/optional/100% -> main
xdg-desktop-portal 1.0.3-0ubuntu0.0 in xenial powerpc: universe/admin/optional/100% -> main
xdg-desktop-portal 1.0.3-0ubuntu0.0 in xenial ppc64el: universe/admin/optional/100% -> main
xdg-desktop-portal 1.0.3-0ubuntu0.0 in xenial s390x: universe/admin/optional/100% -> main
xdg-desktop-portal-dev 1.0.3-0ubuntu0.0 in xenial amd64: universe/admin/optional/100% -> main
xdg-desktop-portal-dev 1.0.3-0ubuntu0.0 in xenial arm64: universe/admin/optional/100% -> main
xdg-desktop-portal-dev 1.0.3-0ubuntu0.0 in xenial armhf: universe/admin/optional/100% -> main
xdg-desktop-portal-dev 1.0.3-0ubuntu0.0 in xenial i386: universe/admin/optional/100% -> main
xdg-desktop-portal-dev 1.0.3-0ubuntu0.0 in xenial powerpc: universe/admin/optional/100% -> main
xdg-desktop-portal-dev 1.0.3-0ubuntu0.0 in xenial ppc64el: universe/admin/optional/100% -> main
xdg-desktop-portal-dev 1.0.3-0ubuntu0.0 in xenial s390x: universe/admin/optional/100% -> main
xdg-desktop-portal-tests 1.0.3-0ubuntu0.0 in xenial amd64: universe/admin/optional/100% -> main
xdg-desktop-portal-tests 1.0.3-0ubuntu0.0 in xenial arm64: universe/admin/optional/100% -> main
xdg-desktop-portal-tests 1.0.3-0ubuntu0.0 in xenial armhf: universe/admin/optional/100% -> main
xdg-desktop-portal-tests 1.0.3-0ubuntu0.0 in xenial i386: universe/admin/optional/100% -> main
xdg-desktop-portal-tests 1.0.3-0ubuntu0.0 in xenial powerpc: universe/admin/optional/100% -> main
xdg-desktop-portal-tests 1.0.3-0ubuntu0.0 in xenial ppc64el: universe/admin/optional/100% -> main
xdg-desktop-portal-tests 1.0.3-0ubuntu0.0 in xenial s390x: universe/admin/optional/100% -> main
22 publications overridden.

Changed in xdg-desktop-portal (Ubuntu Xenial):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.