please integrate mediascanner2 and media-hub with apparmor
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Thumbnailer |
Fix Released
|
Undecided
|
Unassigned | ||
apparmor-easyprof-ubuntu (Ubuntu) |
Fix Released
|
High
|
Jamie Strandboge | ||
media-hub (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
media-hub (Ubuntu RTM) |
Fix Released
|
Undecided
|
Unassigned | ||
mediascanner2 (Ubuntu) |
Fix Released
|
High
|
James Henstridge |
Bug Description
media-hub and mediascanner are separate processes from apps and are used to play and scan music and video files respectively. Up until now, apps would have to use the music_files_read or video_files_read reserved policy groups to access media. The problem is, these policy groups are reserved and not available to normal AppStore apps in order to prevent information leaks (this user has this video installed) and theft (can access the music and video directly). The path forward is that media-hub and mediascanner are helpers that apps can use and they should integrate with the trust store.
AppStore apps:
1. should be able to access their own content (installed or local)
2. should not be able to access, play or otherwise enumerate other apps' media (ie, app 'foo' should not be able to play the facebook app's sound file
3. AppStore apps should be able to enumerate the global music (~/Music) and video (~/Video) library via the mediascanner helper with permission from the user
4. AppStore apps should be able to play the global music (~/Music) and video (~/Video) library via the media-hub with permission from the user
5. AppStore apps should be able to have access to media files with permission from the user. This is already handled by the content-hub paradigm (though someone would need to add a media content provider for the content-hub to have this work)
Both media-hub and mediascanner should do something like the below pseudo code:
# see 'man aa_getcon()' from libapparmor-dev for more info
# conn_name is the unique D-Bus connection name of the application connecting
# to media-hub/
apparmor_profile = org.freedesktop
pkgname = apparmor_
if apparmor_profile == unconfined: # unconfined apps can access all the files
allow access
elif playback_file in ~/.local/
allow access
elif $pkgname can access playback_file in trust store: # apps can access the files if user said so previously
allow access
elif playback_file in ~/Music:
answer = prompt user for access to global music files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Music
allow access
else:
deny access
elif playback_file in ~/Videos:
answer = prompt user for access to global video files
if $answer == yes
update trust store for $pkgname can enumerate/play ~/Videos
allow access
else:
deny access
else:
deny access
To have the best user experience and prevent multiple prompting, mediascanner and media-hub should use the same trust store database. I'm not sure that mediascanner2 offers a DBus API for enumerating global media files yet or not (music-app seems to be accessing files in ~/.cache/media-art/ and ~/.cache/
UPDATE: 2014-05-02
media-hub implemented '1' and '2' already (can access its own data, but not other apps' data) and was marked Fix Released. Trust store integration ('3' and '4') is now being tracked in bug #1315381.
mediascanner2 still needs to implement '1' and '2'. The 'audio' and 'video' policy groups will *not* add this access at this time. Instead, apps can use 'read_path' as part of their policy to have access to the mediascanner files. This is workable for the music app, but will block other apps from inclusion in the app store.
Related branches
- PS Jenkins bot: Needs Fixing (continuous-integration)
- Ubuntu Phablet Team: Pending requested
-
Diff: 2681 lines (+1434/-95)39 files modifiedCMakeLists.txt (+2/-0)
debian/control (+3/-0)
debian/media-hub.conf (+4/-1)
debian/media-hub.install (+1/-0)
debian/rules (+4/-0)
debian/usr.bin.media-hub-server (+98/-0)
include/core/media/player.h (+18/-3)
include/core/media/service.h (+1/-0)
src/core/media/CMakeLists.txt (+6/-2)
src/core/media/apparmor.h (+51/-0)
src/core/media/engine.h (+10/-0)
src/core/media/gstreamer/engine.cpp (+105/-8)
src/core/media/gstreamer/engine.h (+9/-0)
src/core/media/gstreamer/playbin.h (+184/-20)
src/core/media/mpris/player.h (+6/-0)
src/core/media/mpris/service.h (+1/-0)
src/core/media/player_implementation.cpp (+172/-17)
src/core/media/player_implementation.h (+7/-1)
src/core/media/player_skeleton.cpp (+221/-7)
src/core/media/player_skeleton.h (+11/-0)
src/core/media/player_stub.cpp (+197/-3)
src/core/media/player_stub.h (+11/-0)
src/core/media/powerd_service.h (+99/-0)
src/core/media/server/server.cpp (+28/-0)
src/core/media/service.cpp (+1/-1)
src/core/media/service_implementation.cpp (+57/-10)
src/core/media/service_implementation.h (+5/-0)
src/core/media/service_skeleton.cpp (+17/-1)
src/core/media/service_skeleton.h (+1/-1)
src/core/media/service_stub.cpp (+13/-5)
src/core/media/service_stub.h (+2/-1)
src/core/media/track_list_implementation.cpp (+13/-0)
src/core/media/track_list_implementation.h (+1/-0)
src/core/media/track_list_skeleton.cpp (+15/-3)
src/core/media/track_list_skeleton.h (+2/-1)
tests/acceptance-tests/service.cpp (+1/-1)
tests/unit-tests/CMakeLists.txt (+15/-1)
tests/unit-tests/libmedia-mock.cpp (+26/-0)
tests/unit-tests/test-gstreamer-engine.cpp (+16/-8)
description: | updated |
description: | updated |
tags: | added: application-confinement |
Changed in apparmor-easyprof-ubuntu (Ubuntu): | |
status: | New → Confirmed |
Changed in mediascanner2 (Ubuntu): | |
importance: | Undecided → High |
Changed in apparmor-easyprof-ubuntu (Ubuntu): | |
importance: | Undecided → High |
description: | updated |
description: | updated |
description: | updated |
Changed in media-hub: | |
assignee: | nobody → Jim Hodapp (jhodapp) |
importance: | Undecided → High |
status: | New → In Progress |
Changed in mediascanner2 (Ubuntu): | |
status: | New → Confirmed |
Changed in media-hub: | |
status: | In Progress → Fix Committed |
summary: |
- please integrate mediascanner2 and media-hub with trust-store + please integrate mediascanner2 and media-hub with apparmor |
description: | updated |
description: | updated |
Changed in apparmor-easyprof-ubuntu (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in mediascanner2 (Ubuntu): | |
assignee: | nobody → James Henstridge (jamesh) |
Changed in thumbnailer: | |
status: | Fix Committed → Fix Released |
Changed in media-hub (Ubuntu): | |
status: | New → Fix Released |
no longer affects: | media-hub |
Changed in media-hub (Ubuntu RTM): | |
status: | New → Fix Released |
As a sidenote: we probably don't want the user's personal videos captured with the camera to be stored in the ~/Videos folder.