[apparmor] Mapping end-user applications to security contexts

Alberto Mardegan alberto.mardegan at canonical.com
Thu Aug 22 08:59:02 UTC 2013 

Hi all!
  As some of you already know, Ubuntu's OnlineAccounts plans for the
next months include maintaining its own dynamic ACL of which
applications are allowed to use a certain account, with the end-user
being the decision maker. Therefore, in order to create and update the
ACL, we ultimately need a way to map the profiles returned by apparmor
to an application name and icon that the user can recognize.

So, when an unauthorized application will want to access an online
account, we would like to know not only the profile of this application,
but also a display name and icon, and maybe some other metadata to
display to the user, so that he can decide whether the application
should be allowed to access the protected resource (the online account,
in our case).

The .desktop files described in the freedesktop.org specification [0]
contain all the application metadata we need (and more), so I think that
this is the information we'd like to get.

As I understand it, there are currently some hackish way to get a
mapping from the profile to a .desktop file (matching on the Ubuntu
Click package unique ID or, for the cases where the profile is the path
to the binary application, browsing through the .desktop files checking
the command in the "Exec" field and try to match it with the executable
path), but they can fail in a number of ways.
In a private conversation with Jamie, he hinted that apparmor could
store the mapping in its profile files, and provide a couple of methods like
   - aa_desktop_file_for_profile(<profile>)
   - aa_profile_for_desktop_file(<desktop>)

This would indeed meet our needs, and it could be helpful for other
software which maintains its own dynamic ACL (of which we don't have
many examples, but arguably it's because of a chicken-egg problem of not
having a security framework which can identify apps).

Do you think that this is a sensible approach?

Ciao,
  Alberto

[0] http://standards.freedesktop.org/desktop-entry-spec/latest/index.html

More information about the AppArmor mailing list