Confined scopes are using the wrong path for the writable directory

Hmmm... com.ubuntu.scopes.youtube_youtube

How does this scope_id get into the run time in the first place?

The scope ID is *correctly* determined in the usual way from the scope ini file. So in the case of youtube:

com.ubuntu.scopes.youtube_youtube.ini

It comes from the:

com.ubuntu.scopes.youtube

click package. And has a scope hook named "youtube" inside.

For confined scopes like this, we want each of the scopes in a single package to share the same writable directory. So youtube is given write access to:

$HOME/.local/share/unity-scopes/leaf-net/com.ubuntu.scopes.youtube

i.e. *without* the last youtube part.

It makes sense to me to have two separate concepts in the scope metadata. One for the scope ID, and another for the cache ID. This way the scope runtime can set both of them up-front when it knows something is a click package, by simply splitting on the first underscore. And for regular, unconfined, scopes we can just set the cache ID and the scope ID to be the same.

Comments? Thoughts?

On a related note. We also get this warning:

apparmor="DENIED" operation="mkdir" profile="com.ubuntu.scopes.youtube_youtube_1.0.8" name="/run/user/32011/scopes/leaf-net/" pid=22090 comm="scoperunner" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

I think the runtime should probably not be trying to create this while inside confinement, as it will always fail. Can we do an additional check, and only try and create this dirs if they don't already exist?

> On a related note. We also get this warning:

There a branch to avoid the noise here:

https://code.launchpad.net/~michihenning/unity-scopes-api/test-before-mkdir/+merge/231110

>The scope ID is *correctly* determined in the usual way from the scope ini file. So in the case of youtube:
>
> com.ubuntu.scopes.youtube_youtube.ini

Well, by definition, the ID of the scope is com.ubuntu.scopes.youtube_youtube, because the name of the ini file *is* the ID of the scope.

> For confined scopes like this, we want each of the scopes in a single package to share the same writable directory. So youtube is given write access to:
>
> $HOME/.local/share/unity-scopes/leaf-net/com.ubuntu.scopes.youtube
>
> i.e. *without* the last youtube part.

As far as I know, the Apparmor profile will grant access only to .../leaf-net/<scope_id>. So, even if we were to change the path to the data dir in the run time, the scope would still be denied access, no?

> It makes sense to me to have two separate concepts in the scope metadata. One for the scope ID, and another for the cache ID. This way the scope runtime can set both of them up-front when it knows something is a click package, by simply splitting on the first underscore. And for regular, unconfined, scopes we can just set the cache ID and the scope ID to be the same.

Splitting off on the last underscore sounds a bit hacky to me. But, even if we add separate config items or the like, I'm not sure this would help.

In effect, we have an app, and we have a scope, each of which is meant to be confined (and they *are* confined correctly at the moment). Now, it seems we have a requirement that an app and a scope need to share a common directory that is writeable to either?

I've linked a branch to fix this. Pete, can you please check the logic? The code now adjusts the cache dir name by stripping off everything from the first underscore in the scope ID. E.g. "abc.def.ghi_ghi_123" becomes "abc.def.ghi".

Please see the comments on the MR.

Fix committed into lp:unity-scopes-api/devel at revision None, scheduled for release in unity-scopes-api, milestone Unknown