On 10/02/2014 01:22 PM, James Henstridge wrote: > I don't know the exact details of the scope Chris ran into this with, > but I am curious about how this ACL is being checked. I do know that > Chris's scopes are Click packaged, so they will be running with an > AppArmor profile name of the form "$packagename_$scopename_$version", > even if that profile is equivalent to "unconfined". Is that going to > pass this ACL check?
Mmm... this is interesting. So, regardless of the contents of the profile, OA will see the app as "$packagename_$scopename_$version", and it will let it access the desired account only if "$packagename_$scopename_*" is present in the account's ACL. > I'd imagine the same issue is going to affect any application that > uses Click packaging too. If you mean to say that any application that uses Click packaging can't just access any account it wishes, that's indeed true. We have an API to request access to an account (and I realize just now that's not listed in developer.ubuntu.com), and that's via the "Setup" element of the "Ubuntu.OnlineAccounts.Client 0.1" QML module. The UI flow is described here: https://wiki.ubuntu.com/OnlineAccounts#App_access Scopes need to call this method as well, if they want to access the account. IIRC, the plan was to have a scope-config tool which would do that on their behalf. (the other option is to go to the Accounts panel in the system settings, click on the desired account and enable the application/scope from there) Ciao, Alberto -- Mailing list: https://launchpad.net/~ubuntu-phone Post to : ubuntu-phone@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-phone More help : https://help.launchpad.net/ListHelp
