** Description changed:
media-hub and mediascanner are separate processes from apps and are used
to play and scan music and video files respectively. Up until now, apps
would have to use the music_files_read or video_files_read reserved
policy groups to access media. The problem is, these policy groups are
reserved and not available to normal AppStore apps in order to prevent
information leaks (this user has this video installed) and theft (can
access the music and video directly). The path forward is that media-hub
and mediascanner are helpers that apps can use and they should integrate
with the trust store.
AppStore apps:
- 1. should not be able to access, play or otherwise enumerate other apps'
media (ie, app 'foo' should not be able to play the facebook app's sound file
- 2. AppStore apps should be able to enumerate the global music (~/Music) and
video (~/Video) library via the mediascanner helper with permission from the
user
- 3. AppStore apps should be able to play the global music (~/Music) and video
(~/Video) library via the media-hub with permission from the user
- 4. AppStore apps should be able to have access to media files with
permission from the user. This is already handled by the content-hub paradigm
(though someone would need to add a media content provider for the content-hub
to have this work)
+ 1. should be able to access their own content (installed or local)
+ 2. should not be able to access, play or otherwise enumerate other apps'
media (ie, app 'foo' should not be able to play the facebook app's sound file
+ 3. AppStore apps should be able to enumerate the global music (~/Music) and
video (~/Video) library via the mediascanner helper with permission from the
user
+ 4. AppStore apps should be able to play the global music (~/Music) and video
(~/Video) library via the media-hub with permission from the user
+ 5. AppStore apps should be able to have access to media files with
permission from the user. This is already handled by the content-hub paradigm
(though someone would need to add a media content provider for the content-hub
to have this work)
Both media-hub and mediascanner should do something like the below
pseudo code:
# see 'man aa_getcon()' from libapparmor-dev for more info
# conn_name is the unique D-Bus connection name of the application connecting
# to media-hub/mediascanner
apparmor_profile =
org.freedesktop.DBus.GetConnectionAppArmorSecurityContext(conn_name)
pkgname = apparmor_profile.split('_')[0]
if apparmor_profile == unconfined: # unconfined apps can access all the files
allow access
elif playback_file in ~/.local/share/$pkgname/... or playback_file in
~/.cache/$pkgname/..: # apps can access their own files
allow access
elif $pkgname can access playback_file in trust store: # apps can access the
files if user said so previously
allow access
elif playback_file in ~/Music:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Music
allow access
else:
deny access
elif playback_file in ~/Videos:
answer = prompt user for access to global video files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Videos
allow access
else:
deny access
else:
deny access
To have the best user experience and prevent multiple prompting,
mediascanner and media-hub should use the same trust store database. I'm
not sure that mediascanner2 offers a DBus API for enumerating global
media files yet or not (music-app seems to be accessing files in
~/.cache/media-art/ and ~/.cache/mediascanner directly).
- Until this is added, I will temporarily add access to the reserved
- policy groups for access to the media-hub DBus API and mediascanner
- files so that the music-app can run confined but with reserved policy
- groups. Once the media-hub and mediascanner are implemented with the
- trust store, then we can add the mediascanner and media-hub DBus APIs to
- the audio and video common policy groups and make media-hub and
- mediascanner available to all apps.
+ UPDATE: 2014-05-02
+ media-hub implemented '1' and '2' already (should not be able to access, play
or otherwise enumerate other apps' media (ie, app 'foo' should not be able to
play the facebook app's sound file)) and was marked Fix Released. Trust store
integration ('3' and '4') is now being tracked in bug #1315381.
+
+ mediascanner2 still needs to implement '1' and '2'. The 'audio' and
+ 'video' policy groups will *not* add this access at this time. Instead,
+ apps can use 'read_path' as part of their policy to have access to the
+ mediascanner files. This is workable fir the music app, but will block
+ other apps from inclusion in the app store.
** Description changed:
media-hub and mediascanner are separate processes from apps and are used
to play and scan music and video files respectively. Up until now, apps
would have to use the music_files_read or video_files_read reserved
policy groups to access media. The problem is, these policy groups are
reserved and not available to normal AppStore apps in order to prevent
information leaks (this user has this video installed) and theft (can
access the music and video directly). The path forward is that media-hub
and mediascanner are helpers that apps can use and they should integrate
with the trust store.
AppStore apps:
1. should be able to access their own content (installed or local)
- 2. should not be able to access, play or otherwise enumerate other apps'
media (ie, app 'foo' should not be able to play the facebook app's sound file
- 3. AppStore apps should be able to enumerate the global music (~/Music) and
video (~/Video) library via the mediascanner helper with permission from the
user
- 4. AppStore apps should be able to play the global music (~/Music) and video
(~/Video) library via the media-hub with permission from the user
- 5. AppStore apps should be able to have access to media files with
permission from the user. This is already handled by the content-hub paradigm
(though someone would need to add a media content provider for the content-hub
to have this work)
+ 2. should not be able to access, play or otherwise enumerate other apps'
media (ie, app 'foo' should not be able to play the facebook app's sound file
+ 3. AppStore apps should be able to enumerate the global music (~/Music) and
video (~/Video) library via the mediascanner helper with permission from the
user
+ 4. AppStore apps should be able to play the global music (~/Music) and video
(~/Video) library via the media-hub with permission from the user
+ 5. AppStore apps should be able to have access to media files with
permission from the user. This is already handled by the content-hub paradigm
(though someone would need to add a media content provider for the content-hub
to have this work)
Both media-hub and mediascanner should do something like the below
pseudo code:
# see 'man aa_getcon()' from libapparmor-dev for more info
# conn_name is the unique D-Bus connection name of the application connecting
# to media-hub/mediascanner
apparmor_profile =
org.freedesktop.DBus.GetConnectionAppArmorSecurityContext(conn_name)
pkgname = apparmor_profile.split('_')[0]
if apparmor_profile == unconfined: # unconfined apps can access all the files
allow access
elif playback_file in ~/.local/share/$pkgname/... or playback_file in
~/.cache/$pkgname/..: # apps can access their own files
allow access
elif $pkgname can access playback_file in trust store: # apps can access the
files if user said so previously
allow access
elif playback_file in ~/Music:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Music
allow access
else:
deny access
elif playback_file in ~/Videos:
answer = prompt user for access to global video files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Videos
allow access
else:
deny access
else:
deny access
To have the best user experience and prevent multiple prompting,
mediascanner and media-hub should use the same trust store database. I'm
not sure that mediascanner2 offers a DBus API for enumerating global
media files yet or not (music-app seems to be accessing files in
~/.cache/media-art/ and ~/.cache/mediascanner directly).
UPDATE: 2014-05-02
- media-hub implemented '1' and '2' already (should not be able to access, play
or otherwise enumerate other apps' media (ie, app 'foo' should not be able to
play the facebook app's sound file)) and was marked Fix Released. Trust store
integration ('3' and '4') is now being tracked in bug #1315381.
+ media-hub implemented '1' and '2' already (can access its own data, but not
other apps' data) and was marked Fix Released. Trust store integration ('3' and
'4') is now being tracked in bug #1315381.
mediascanner2 still needs to implement '1' and '2'. The 'audio' and
'video' policy groups will *not* add this access at this time. Instead,
apps can use 'read_path' as part of their policy to have access to the
- mediascanner files. This is workable fir the music app, but will block
+ mediascanner files. This is workable for the music app, but will block
other apps from inclusion in the app store.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1303962
Title:
please integrate mediascanner2 and media-hub with apparmor
To manage notifications about this bug go to:
https://bugs.launchpad.net/media-hub/+bug/1303962/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
