On 11/13/2014 12:32 PM, Marc Deslauriers wrote:
> On 2014-11-13 12:08 PM, Jamie Strandboge wrote:
>> On 11/13/2014 08:25 AM, Marc Deslauriers wrote:
>>> On 2014-11-12 11:58 AM, Jamie Strandboge wrote:
>>>> Pulling into CC various stakeholders.
>>>>
>>>> On 11/12/2014 09:47 AM, Florian Boucault wrote:
>>
>> ...
>>
>>>>> The camera and the gallery app today are authorized to read/write in
>>>>> /home/$USER/Pictures and /home/$USER/Videos.
>>>>> Soon they will also need to be able to read/write in the similar
>>>>> directories of
>>>>> the SD card, for example:
>>>>> - /media/phablet/064a-7494/Pictures
>>>>> - /media/phablet/064a-7494/Videos
>>
>> ...
>>
>>>> We can then do something similar for apps. Eg, the predictable hierarchy
>>>> for
>>>> apps might be:
>>>> /media/$USER/$SDCARD_ID/.cache/$APP_PKGNAME
>>>> /media/$USER/$SDCARD_ID/.config/$APP_PKGNAME
>>>> /media/$USER/$SDCARD_ID/.local/share/$APP_PKGNAME
>>>>
>>>> such that the AppArmor templates add:
>>>> owner /media/*/*/.cache/@{APP_PKGNAME}/ rw,
>>>> owner /media/*/*/.cache/@{APP_PKGNAME}/** mrwkl,
>>>> owner /media/*/*/.config/@{APP_PKGNAME}/ rw,
>>>> owner /media/*/*/.config/@{APP_PKGNAME}/** mrwkl,
>>>> owner /media/*/*/.local/share/@{APP_PKGNAME}/ rw,
>>>> owner /media/*/*/.local/share/@{APP_PKGNAME}/** mrwklix,
>>>
>>> This is problematic. As you mention later on, sdcards mostly use vfat, which
>>> means file names are case insensitive. This opens up a lot of issues when
>>> trying
>>> to confine apps to specific directories, and also creates issues with data
>>> loss
>>> if the system isn't designed to cope well.
>>>
>>> If we want app-specific directories on the sdcard, we will likely have to
>>> require the card be formatted with a better filesystem, or we should punt on
>>> this for now.
>>>
>>
>> Ah yes, I forgot about the case-insensitive names. I also agree this is
>> problematic. With the global directories, we should therefore do:
>>
>> # SD card: /media/<user>/<label>/...
>> owner /media/*/*/[Pp][Ii][Cc][Tt][Uu][Rr][Ee][Ss]/ r,
>> owner /media/*/*/[Pp][Ii][Cc][Tt][Uu][Rr][Ee][Ss]/** rwk,
>>
>> That is easy enough.
>
> We don't really need to do that, apps simply need to access the directory
> using
> "Pictures" and not any other combination of case.
>
>>
>>
>> Apps are hard though-- click-apparmor could be adjusted to instead of:
>> @{APP_APPNAME}="bar"
>> @{APP_PKGNAME}="com.ubuntu.developer.user.foo"
>>
>> do:
>> @{APP_APPNAME}="[Bb][Aa][Rr]"
>> @{APP_PKGNAME}="[Cc][Oo][Mm].[Uu][Bb][Uu][Nn][Tt][Uu].[Dd][Ee][Vv][Ee][Ll][Oo][Pp][Ee][Rr].[Uu][Ss][Ee][Rr].[Ff][Oo][Oo]"
>>
>> but yikes, I don't like that; plus I agree with your other points about what
>> happens when the card is pulled out. App-specific directories needs more
>> thought
>> and planning.
>>
>
> Doing that doesn't eliminate the possibility of developers deliberately
> registering apps with the same name, but with different case combinations,
> either to steal an other app's data, or to share data amongst two apps from
> the
> same developer.
>
> We would need to enforce case-insensitive uniqueness checks all over the place
> to prevent that sort of thing, and I think it's likely to be more trouble than
> it's worth for now.
> Do note, I didn't really like the above. That said, the AppStore could enforce this quite easily if it isn't already. -- Jamie Strandboge http://www.ubuntu.com/
signature.asc
Description: OpenPGP digital signature
-- Mailing list: https://launchpad.net/~ubuntu-phone Post to : ubuntu-phone@lists.launchpad.net Unsubscribe : https://launchpad.net/~ubuntu-phone More help : https://help.launchpad.net/ListHelp
