On 2014-11-13 02:08 PM, Jamie Strandboge wrote:
> On 11/13/2014 12:32 PM, Marc Deslauriers wrote:
>> On 2014-11-13 12:08 PM, Jamie Strandboge wrote:
>>> On 11/13/2014 08:25 AM, Marc Deslauriers wrote:
>>>> On 2014-11-12 11:58 AM, Jamie Strandboge wrote:
>>>>> Pulling into CC various stakeholders.
>>>>>
>>>>> On 11/12/2014 09:47 AM, Florian Boucault wrote:
>>>
>>> ...
>>>
>>>>>> The camera and the gallery app today are authorized to read/write in
>>>>>> /home/$USER/Pictures and /home/$USER/Videos.
>>>>>> Soon they will also need to be able to read/write in the similar
>>>>>> directories of
>>>>>> the SD card, for example:
>>>>>> - /media/phablet/064a-7494/Pictures
>>>>>> - /media/phablet/064a-7494/Videos
>>>
>>> ...
>>>
>>>>> We can then do something similar for apps. Eg, the predictable hierarchy
>>>>> for
>>>>> apps might be:
>>>>> /media/$USER/$SDCARD_ID/.cache/$APP_PKGNAME
>>>>> /media/$USER/$SDCARD_ID/.config/$APP_PKGNAME
>>>>> /media/$USER/$SDCARD_ID/.local/share/$APP_PKGNAME
>>>>>
>>>>> such that the AppArmor templates add:
>>>>> owner /media/*/*/.cache/@{APP_PKGNAME}/ rw,
>>>>> owner /media/*/*/.cache/@{APP_PKGNAME}/** mrwkl,
>>>>> owner /media/*/*/.config/@{APP_PKGNAME}/ rw,
>>>>> owner /media/*/*/.config/@{APP_PKGNAME}/** mrwkl,
>>>>> owner /media/*/*/.local/share/@{APP_PKGNAME}/ rw,
>>>>> owner /media/*/*/.local/share/@{APP_PKGNAME}/** mrwklix,
>>>>
>>>> This is problematic. As you mention later on, sdcards mostly use vfat,
>>>> which
>>>> means file names are case insensitive. This opens up a lot of issues when
>>>> trying
>>>> to confine apps to specific directories, and also creates issues with data
>>>> loss
>>>> if the system isn't designed to cope well.
>>>>
>>>> If we want app-specific directories on the sdcard, we will likely have to
>>>> require the card be formatted with a better filesystem, or we should punt
>>>> on
>>>> this for now.
>>>>
>>>
>>> Ah yes, I forgot about the case-insensitive names. I also agree this is
>>> problematic. With the global directories, we should therefore do:
>>>
>>> # SD card: /media/<user>/<label>/...
>>> owner /media/*/*/[Pp][Ii][Cc][Tt][Uu][Rr][Ee][Ss]/ r,
>>> owner /media/*/*/[Pp][Ii][Cc][Tt][Uu][Rr][Ee][Ss]/** rwk,
>>>
>>> That is easy enough.
>>
>> We don't really need to do that, apps simply need to access the directory
>> using
>> "Pictures" and not any other combination of case.
>>
>>>
>>>
>>> Apps are hard though-- click-apparmor could be adjusted to instead of:
>>> @{APP_APPNAME}="bar"
>>> @{APP_PKGNAME}="com.ubuntu.developer.user.foo"
>>>
>>> do:
>>> @{APP_APPNAME}="[Bb][Aa][Rr]"
>>> @{APP_PKGNAME}="[Cc][Oo][Mm].[Uu][Bb][Uu][Nn][Tt][Uu].[Dd][Ee][Vv][Ee][Ll][Oo][Pp][Ee][Rr].[Uu][Ss][Ee][Rr].[Ff][Oo][Oo]"
>>>
>>> but yikes, I don't like that; plus I agree with your other points about what
>>> happens when the card is pulled out. App-specific directories needs more
>>> thought
>>> and planning.
>>>
>>
>> Doing that doesn't eliminate the possibility of developers deliberately
>> registering apps with the same name, but with different case combinations,
>> either to steal an other app's data, or to share data amongst two apps from
>> the
>> same developer.
>>
>> We would need to enforce case-insensitive uniqueness checks all over the
>> place
>> to prevent that sort of thing, and I think it's likely to be more trouble
>> than
>> it's worth for now.
>>
>
> Do note, I didn't really like the above. That said, the AppStore could enforce
> this quite easily if it isn't already.
>
Oh, the other thing I forgot is fat filesystems transparently support short
filenames too, so longfilename.txt may also be accessible as longfi~1.txt. I'd
have to think about the impact this may have with file path based permissions.
Marc.
--
Mailing list: https://launchpad.net/~ubuntu-phone
Post to : ubuntu-phone@lists.launchpad.net
Unsubscribe : https://launchpad.net/~ubuntu-phone
More help : https://help.launchpad.net/ListHelp
