Merge lp:~kissiel/checkbox/cep-9 into lp:checkbox
Proposed by
Maciej Kisielewski
Status: | Merged |
---|---|
Approved by: | Maciej Kisielewski |
Approved revision: | 4403 |
Merged at revision: | 4407 |
Proposed branch: | lp:~kissiel/checkbox/cep-9 |
Merge into: | lp:checkbox |
Diff against target: |
125 lines (+121/-0) 1 file modified
cep/CEP-9.rst (+121/-0) |
To merge this branch: | bzr merge lp:~kissiel/checkbox/cep-9 |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Checkbox Developers | Pending | ||
Review via email: mp+265107@code.launchpad.net |
Description of the change
Well, this been for a while in the oven.
I've fixed all issues pointed out in the comments. The thing has been implemented last year, so I guess for docs' sake we should just land it :)
To post a comment you must log in.
+1
As we go on I'd like to see the same things people can put in their
manifest.json files supported. In reality the actual apparmor profile
is generated from a template. I'd like to mimic that.
On Fri, Jul 17, 2015 at 4:05 PM, Maciej Kisielewski /code.launchpad .net/~kissiel/ checkbox/ cep-9/+ merge/265107 ======= ======= ======= ======= ======= ======= === ======= ======= ======= ======= ======= ======= === ======= ======= ======= Converged. Instead of copying them as-is, they need to be built. This
<email address hidden> wrote:
> Maciej Kisielewski has proposed merging lp:~kissiel/checkbox/cep-9 into lp:checkbox.
>
> Requested reviews:
> Checkbox Developers (checkbox-dev)
>
> For more details, see:
> https:/
>
> -- WIP --
>
> Sandboxed tests CEP
>
> Early feedback welcome!
> --
> You are subscribed to branch lp:checkbox.
>
> === added file 'cep/CEP-9.rst'
> --- cep/CEP-9.rst 1970-01-01 00:00:00 +0000
> +++ cep/CEP-9.rst 2015-07-17 13:43:21 +0000
> @@ -0,0 +1,119 @@
> +======
> +Checkbox Enhancement Proposal 9: Confined QML jobs
> +======
> +
> +Summary
> +=======
> +
> +This CEP defines 'confined' flag for qml-native jobs that makes
> +checkbox-converged run them as seperate apps.
> +
> +Rationale
> +=========
> +
> +Currently when qml-jobs are run by checkbox-converged, they are run with the
> +same apparmor profile as checkbox-converged. For some tests we want to change
> +the security profile the test will run in. This CEP proposes a new way of
> +running qml-native jobs in which the polciies are changed.
> +
> +
> +Example
> +=======
> +
> +We need to provide a test that checks if the device asks for permission, when
> +an app asks for location data. Let's call it "the Test"
> +This job cannot be an ordinary qml-job, as apparmor policy defined for
> +checkbox-converged would be used to carry the test out.
> +
> +Expected behaviour when running tests is as follows:
> +- checkbox-converged gets to the Test
> +- device runs the Test with different set of policies
> +- prompt asking whether to let the Test use location information
> +- testing concludes
> +- checkbox-converged switches to the next test
> +
> +Changing apparmor policies
> +======
> +
> +Confined tests will have additional syntax in their definition to allow
> +user-defined policy.
> +Flag ``confined`` will be used, to inform that the test should run in a
> +confined manner.
> +This field - ``apparmor`` - will point to the file that
> +should be used as apparmor profile. Should this file be missing, the test will
> +have no priviliges and will run fully confined.
> +
> +Impact
> +======
> +
> +Adding confined tests requires change in how providers are handled by
> +Checkbox-
> +*does not* require any change to exisitng providers and *does not* change
> +behaviour of the app.
> +For other Checkbox Applications (cli, gui), confined tests will be executed as
> +ordinary qml-native jobs, because apparmor policies don't affect platforms
> +that those front-ends run on.
> +
> +Implementation
> +==============
> +
> +Proposed flow
> +-------------
> +Checkbox-Converged launches an app containing the test and holds its execution.
> +Device switches to running the test-app.
> +T...