[Bug 1221407] [NEW] please provide gui for security manifest

Jamie Strandboge jamie at ubuntu.com
Thu Sep 5 19:15:37 UTC 2013 

Public bug reported:

I know this is planned but wanted to file a bug to give additional
information.

Currently Simple tab provides a text input field to add policy groups. It would be good if the sdk could enumerate the policy groups. The policy groups can be enumerated with:
$ aa-easyprof --list-policy-groups --policy-vendor=ubuntu --policy-version=1.0
accounts
audio
...

As of apparmor-easyprof-ubuntu 1.0.29, policy groups have two fields of metadata which the SDK can use. You can get the contents of the policy group with:
$ aa-easyprof --show-policy-group -p <group> --policy-vendor=ubuntu --policy-version=1.0

Eg:
$ aa-easyprof --show-policy-group -p networking --policy-vendor=ubuntu --policy-version=1.0
# Description: Can access the network
# Usage: common
#include <abstractions/nameservice>
#include <abstractions/openssl>

or:
$ aa-easyprof --show-policy-group -p music_files --policy-vendor=ubuntu --policy-version=1.0
# Description: Can read and write to music files. This policy group is
#  reserved for certain applications, such as music players. Developers
#  should typically use the content_exchange policy group and API to
#  access music files instead.
# Usage: reserved
owner @{HOME}/Music/   r,
owner @{HOME}/Music/** rwk,

I'm not sure how you want to display all this to the user, but it is
worth noting that the 'Usage' meta-information should be used by the SDK
in some manner. Policy groups with 'Usage: common' are safe for all
applications to use, but ones with 'Usage: reserved' will likely cause
problems during the review process and may waste the developer's time if
their app is rejected for using it. Perhaps if the meta information
(Description and Usage for now) was display along with the policy group,
developers would have enough information to decide. It may make sense
for the reserved policy groups to be hidden or require a confirmation to
add. We want to discourage their use in general. This should probably be
generalized incase we add other Usage tags, like 'core-apps', etc.

See /usr/share/doc/apparmor-easyprof-ubuntu/README.Debian for more
details.

** Affects: qtcreator (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: appstore

** Tags added: appstore

** Description changed:

  I know this is planned but wanted to file a bug to give additional
  information.
  
  Currently Simple tab provides a text input field to add policy groups. It would be good if the sdk could enumerate the policy groups. The policy groups can be enumerated with:
  $ aa-easyprof --list-policy-groups --policy-vendor=ubuntu --policy-version=1.0
  accounts
  audio
  ...
  
  As of apparmor-easyprof-ubuntu 1.0.29, policy groups have two fields of metadata which the SDK can use. You can get the contents of the policy group with:
  $ aa-easyprof --show-policy-group -p <group> --policy-vendor=ubuntu --policy-version=1.0
  
  Eg:
  $ aa-easyprof --show-policy-group -p networking --policy-vendor=ubuntu --policy-version=1.0
  # Description: Can access the network
  # Usage: common
  #include <abstractions/nameservice>
  #include <abstractions/openssl>
  
  or:
  $ aa-easyprof --show-policy-group -p music_files --policy-vendor=ubuntu --policy-version=1.0
  # Description: Can read and write to music files. This policy group is
  #  reserved for certain applications, such as music players. Developers
  #  should typically use the content_exchange policy group and API to
  #  access music files instead.
  # Usage: reserved
  owner @{HOME}/Music/   r,
  owner @{HOME}/Music/** rwk,
  
- 
- I'm not sure how you want to display all this to the user, but it is worth noting that the 'Usage' meta-information should be used by the SDK in some manner. Policy groups with 'Usage: common' are safe for all applications to use, but ones with 'Usage: reserved' will likely cause problems during the review process and may waste the developer's time if their app is rejected for using it.
+ I'm not sure how you want to display all this to the user, but it is
+ worth noting that the 'Usage' meta-information should be used by the SDK
+ in some manner. Policy groups with 'Usage: common' are safe for all
+ applications to use, but ones with 'Usage: reserved' will likely cause
+ problems during the review process and may waste the developer's time if
+ their app is rejected for using it. Perhaps if the meta information
+ (Description and Usage for now) was display along with the policy group,
+ developers would have enough information to decide. It may make sense
+ for the reserved policy groups to be hidden or require a confirmation to
+ add. We want to discourage their use in general. This should probably be
+ generalized incase we add other Usage tags, like 'core-apps', etc.
  
  See /usr/share/doc/apparmor-easyprof-ubuntu/README.Debian for more
  details.

-- 
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to qtcreator in Ubuntu.
https://bugs.launchpad.net/bugs/1221407

Title:
  please provide gui for security manifest

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qtcreator/+bug/1221407/+subscriptions

More information about the kubuntu-bugs mailing list