Code review comment for lp:~michihenning/unity-scopes-api/scope-cache-dir

Revision history for this message
Michi Henning (michihenning) wrote :

> > The core problem here is that I don't know which confinement profile belongs
> > to what scope ID, so I don't know how to set the path correctly. If we have
> a
> > path that doesn't change depending on the confinement profile, the problem
> > would go away because the prefix would be independent of the confinement
> type.
>
> As mentioned, that breaks the confinement separation for the case when a scope
> changes from leaf-fs to leaf-net. We need to have these scope type (eg, leaf-
> net, leaf-fs) for whenever we confine both types. Putting it in
> $HOME/.local/share/unity-scopes/<scope_id> or $HOME/.local/share/unity-
> copes/data_home/<scope_id> breaks that.

Right, yes, this makes sense, thanks!

> Why not just add this to the scope runner .ini file:
> [ScopeConfig]
> Type=Network # or LocalContent or Aggregator

I think this approach has merit, at least to tidy us over until after RTM. I could make the setting optional, with the default being Type=Network. That means the setting would effectively be invisible to scope authors (though still documented), and only aggregators (us, mostly) would need to set it.

The path would be set accordingly, as "leaf-net" or "unconfined".

Directory creation can be done by the scoperunner, I think: if the directory doesn't exist, it'll be created on the fly.

> The downside is the scope author has to keep this in sync with the declared
> template in the security manifest, but that is something the SDK can help with
> (not to mention, people shouldn't be changing from one scope type to another
> except in the most unusual circumstances).

Seeing that, at the moment, we have only two policies for scopes, I don't think that's a big deal. Longer term, once we have a fancier Apparmor query API, we should be able to ditch the config item again and just rely on what we learn from the query API. What I would like to have from the API is functionality that allows me to ask the question "what is the root of my writable data area?"

Ideally, I should get an answer even if that directory doesn't exist yet. And, if it doesn't exist, I should still be able to create that (and only that) directory. That way, the scoperunner wouldn't have to do anything on behalf of the scope before exec'ing it. Instead, the scope, after it was exec'd (and is confined already), could still create its own data directory if it doesn't exist.

« Back to merge proposal