gnome-keyring AppArmor and
- From: Michael Terry <michael terry canonical com>
- To: gnome-keyring-list gnome org
- Cc: tyler hicks canonical com, marc deslauriers canonical com
- Subject: gnome-keyring AppArmor and
- Date: Wed, 16 Jan 2013 15:20:37 -0500
Hello, GNOME Keyring maintainers! I am investigating a potential
feature in Ubuntu of allowing apps confined by AppArmor to have limited
access to the secret service [1].
Namely, to be able to store and get secrets, but only the apps' own
secrets. (For now; maybe in the future we can add more ACL-like
functionality.)
I know that libgnome-keyring used to have ACL support (and still has the
defunct API), but that it was removed as security theater, because there
was no way to reliably identify a caller.
Since AppArmor can reliably identify a DBus caller, we (Ubuntu) are
interested in adding support to gnome-keyring for AppArmor. Let me just
run through my current thinking, and please let me know if any of this
is upstreamable either in a more generic form or perhaps as an #ifdef.
Or suggestions on making it more upstreamable.
The following is a first pass at how this would work:
* If a dbus caller is unconfined (normal everyday desktop apps like
firefox), we don't change a thing. They still have unfettered access.
* Otherwise, confined apps should not be able to see or interact with
items they didn't create themselves.
To do the above, I'm considering:
* When confined, we ask AppArmor for the caller's context name, which
is unique to that app/caller.
* When confined, create items with a special key
'x-apparmor-create-context' with the above context.
* When confined, always list, get, or set items with that context key
(i.e. add that key as a match property to all incoming calls from
confined apps).
* When confined, we also have to be avoid a caller guessing an item's
DBus path (or seeing it from a changed/created signal) and using its
calls directly, so on any such item call, also check the context.
* When confined, don't let the caller see, touch, or match on any
properties that start with 'x-apparmor-'.
* When confined, only allow access to the default collection (i.e.
don't allow listing, querying, or creating collections to avoid leaking
collection names as far as possible). This will involve filtering dbus
calls and signals a bit. I'm not sure how useful or realistic this is...
Note that none of this revives or uses the ACL API. This is just
'silent' confinement so far.
Any thoughts?
[1] https://blueprints.launchpad.net/ubuntu/+spec/security-r-app-keyring
-mt
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
