trust-store

Merge lp:~thomas-voss/trust-store/fix-1504022 into lp:trust-store/15.04

fix-1504022
Merge into 15.04

Proposed by Thomas Voß on 2015-11-11

Status:

Superseded

Proposed branch:

lp:~thomas-voss/trust-store/fix-1504022

Merge into:

lp:trust-store/15.04

Diff against target:

1644 lines (+1211/-92)

20 files modified

3rd_party/xdg/CMakeLists.txt (+22/-0)
3rd_party/xdg/LICENSE (+166/-0)
3rd_party/xdg/README.md (+87/-0)
3rd_party/xdg/xdg.cpp (+203/-0)
3rd_party/xdg/xdg.h (+118/-0)
3rd_party/xdg/xdg_test.cpp (+130/-0)
CMakeLists.txt (+4/-1)
debian/control (+3/-0)
debian/source/format (+1/-1)
src/CMakeLists.txt (+8/-0)
src/core/trust/impl/sqlite3/store.cpp (+2/-8)
src/core/trust/mir/agent.cpp (+11/-38)
src/core/trust/mir/agent.h (+29/-14)
src/core/trust/mir/click_desktop_entry_app_name_resolver.cpp (+106/-0)
src/core/trust/mir/click_desktop_entry_app_name_resolver.h (+49/-0)
tests/CMakeLists.txt (+29/-8)
tests/click_desktop_entry_app_name_resolver_test.cpp (+60/-0)
tests/mir_agent_test.cpp (+123/-22)
tests/share/applications/valid.pkg_app_0.0.0.desktop (+55/-0)
tests/test_data.h.in (+5/-0)

To merge this branch:

bzr merge lp:~thomas-voss/trust-store/fix-1504022

Related bugs:

Bug #1382610: Buttons order is wrong	High	In Progress
Bug #1504022: Displays the hook name rather than the .desktop Name	High	In Progress

Link a bug report

Reviewer	Date Requested	Status
Tyler Hicks		Needs Information on 2015-11-20
Alberto Mardegan (community)	2015-11-11	Approve on 2015-11-12
Review via email: mp+277266@code.launchpad.net

This proposal supersedes a proposal from 2015-11-11.

This proposal has been superseded by a proposal from 2015-11-15.

Commit message

Add interface mir::AppNameResolver.

mir::AppNameResolver is used by mir::Agent to map application IDs
to localized application names.

Description of the change

Add interface mir::AppNameResolver.

mir::AppNameResolver is used by mir::Agent to map application IDs
to localized application names.

Revision history for this message

Alberto Mardegan (mardy) wrote on 2015-11-11:

A couple of inline comments, I'm not convinced that this way of finding the desktop files is reliable.

review: Needs Fixing

lp:~thomas-voss/trust-store/fix-1504022 updated on 2015-11-12

138. By Thomas Voß on 2015-11-12: Robustify desktop entry lookup, relying on xdg dirs to search for matching entries.
139. By Thomas Voß on 2015-11-12: Rename test for mir::ClickDesktopEntryAppNameResolver.

Revision history for this message

Alberto Mardegan (mardy) wrote on 2015-11-12:

Looks good!

review: Approve

lp:~thomas-voss/trust-store/fix-1504022 updated on 2015-11-15

140. By Thomas Voß on 2015-11-14: Add missing , in debian/control.
141. By Thomas Voß on 2015-11-15: rely on xdg:: for querying xdg base spec directories.

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2015-11-20:

Hello - Thomas had asked for a security review and I just took a look at the code.

The code itself looks nearly perfect. I have a couple questions below but they're minor.

I'm mainly concerned about the concept of using the localized Name of the desktop file in a trust prompt. For something like a click app that comes from an untrusted developer, we have no idea if the localized name in their provided desktop file is an accurate translation or a malicious translation intended to trick the user into granting their app access. I don't know of any logic that could be used in the click reviewers tools to verify that the translations are non-malicious. How do we handle such a situation?

As for the code, I have a couple questions/comments:

1) What UID does resolve_desktop_entry_or_throw() run under? I ask because it goes mucking around in the user's home dir and is vulnerable to minor TOCTOU issues such as checking to see if /home/USER/applications/APP_ID.desktop is a regular file and then later passing that path to g_key_file_load_from_file(). The user could modify the path to be a symlink to an area of the filesystem that he/she doesn't own. If resolve_desktop_entry_or_throw() runs as the user, there's probably nothing to worry about.

2) The external XDG stuff that you wrote is a nice idea. I'd recommend packaging it up as a library so that it can be reused in a controllable fashion instead of copying and pasting the code into all of the projects that want to use it.

review: Needs Information

Revision history for this message

Tyler Hicks (tyhicks) wrote on 2015-11-20:

After speaking with jdstrand, he explained why the click reviewers tools don't currently verify the Name field of a desktop file. The desktop file name field can't be forced to match the click package name because the desktop file name should be "pretty" while the click package name is alphanumerics and '-'.

Because of this, I don't see how the desktop file name field can be trusted enough to be used in trust store prompts. :/

Revision history for this message

Thomas Voß (thomas-voss) wrote on 2015-11-21:

Hey Tyler,

thanks for the detailed review and your comments. Let me first try to clarify on the use of the localized name in trust prompts. I actually raised the same issue as you, and it turns out that we are "vulnerable" to applications faking their identity in a couple of places throughout the system. First and foremost: Unity itself relies on the .desktop file entry for displaying the name. We might want to fix the default approach for handling localized application names meant for human consumption in snappy, though.

One possible way to resolve the issue is by altering the prompt to show the localized name alongside the actual application id. Ideally, we would have an expendable field "Details" as part of the prompt containing in-depth information about the request, at the very least the actual app ID together with the UID (and the human-readable user name).

(@1:) The function always runs under the actual user. I will however add a check to make sure that the current user id matches the user id of the request. If not, we will return early, and deny the request.

(@2:) Sure, happy to. I mainly added the external code here to guarantee a swift landing. I will do the packaging and carry out the requesting asap, but would like to make sure that a fix for this bug is not blocked by package/MIR review processes.

Revision history for this message

Thomas Voß (thomas-voss) wrote on 2015-11-21:

One other idea to further clarify the identity of the app might be to include its official icon. At the very least, this would make it easier for the user to associate the source of the trust request with what is visible in the dash and in the launcher.

lp:~thomas-voss/trust-store/fix-1504022 updated on 2015-11-30

142. By Thomas Voß on 2015-11-26: Address comments in review and implement new prompt design.
143. By Thomas Voß on 2015-11-27: Ensure that rendering is consistent with app icon rendering on launcher/dash.
144. By Thomas Voß on 2015-11-27: Update pot to account for string changes.
145. By Thomas Voß on 2015-11-30: Change color of negative action to neutral, see:
https://developer.ubuntu.com/api/apps/qml/sdk-14.10/Ubuntu.Components.UbuntuColors/#lightGrey-prop
Fix apostrophe to be a real typographic apostrophe.
146. By Thomas Voß on 2015-11-30: Align with app scope display of icons, see:
https://code.launchpad.net/~cimi/unity8/new-shadows-1.3/+merge/271611

Unmerged revisions

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Thomas Voß

Ubuntu Phablet Team

 === added directory '3rd_party'
 === added directory '3rd_party/xdg'
 === added file '3rd_party/xdg/CMakeLists.txt'
 --- 3rd_party/xdg/CMakeLists.txt	1970-01-01 00:00:00 +0000
 +++ 3rd_party/xdg/CMakeLists.txt	2015-11-15 21:10:18 +0000
@@ -0,0 +1,22 @@
++project(xdg)
++
++cmake_minimum_required(VERSION 2.8)
++
++find_package(Boost COMPONENTS filesystem system unit_test_framework)
++
++include_directories(
++    .
++    ${Boost_INCLUDE_DIRS}
++)
++
++add_library(xdg xdg.cpp)
++set_property(TARGET xdg PROPERTY CXX_STANDARD 11)
++target_link_libraries(xdg ${Boost_LIBRARIES})
++
++enable_testing()
++add_definitions(-DBOOST_TEST_DYN_LINK -DBOOST_TEST_MAIN -DBOOST_TEST_MODULE=xdg)
++add_executable(xdg_test xdg_test.cpp)
++set_property(TARGET xdg_test PROPERTY CXX_STANDARD 11)
++target_link_libraries(xdg_test xdg)
++
++add_test(xdg_test xdg_test)
 === added file '3rd_party/xdg/LICENSE'
 --- 3rd_party/xdg/LICENSE	1970-01-01 00:00:00 +0000
 +++ 3rd_party/xdg/LICENSE	2015-11-15 21:10:18 +0000
@@ -0,0 +1,166 @@
++                   GNU LESSER GENERAL PUBLIC LICENSE
++                       Version 3, 29 June 2007
++
++ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
++ Everyone is permitted to copy and distribute verbatim copies
++ of this license document, but changing it is not allowed.
++
++
++  This version of the GNU Lesser General Public License incorporates
++the terms and conditions of version 3 of the GNU General Public
++License, supplemented by the additional permissions listed below.
++
++  0. Additional Definitions.
++
++  As used herein, "this License" refers to version 3 of the GNU Lesser
++General Public License, and the "GNU GPL" refers to version 3 of the GNU
++General Public License.
++
++  "The Library" refers to a covered work governed by this License,
++other than an Application or a Combined Work as defined below.
++
++  An "Application" is any work that makes use of an interface provided
++by the Library, but which is not otherwise based on the Library.
++Defining a subclass of a class defined by the Library is deemed a mode
++of using an interface provided by the Library.
++
++  A "Combined Work" is a work produced by combining or linking an
++Application with the Library.  The particular version of the Library
++with which the Combined Work was made is also called the "Linked
++Version".
++
++  The "Minimal Corresponding Source" for a Combined Work means the
++Corresponding Source for the Combined Work, excluding any source code
++for portions of the Combined Work that, considered in isolation, are
++based on the Application, and not on the Linked Version.
++
++  The "Corresponding Application Code" for a Combined Work means the
++object code and/or source code for the Application, including any data
++and utility programs needed for reproducing the Combined Work from the
++Application, but excluding the System Libraries of the Combined Work.
++
++  1. Exception to Section 3 of the GNU GPL.
++
++  You may convey a covered work under sections 3 and 4 of this License
++without being bound by section 3 of the GNU GPL.
++
++  2. Conveying Modified Versions.
++
++  If you modify a copy of the Library, and, in your modifications, a
++facility refers to a function or data to be supplied by an Application
++that uses the facility (other than as an argument passed when the
++facility is invoked), then you may convey a copy of the modified
++version:
++
++   a) under this License, provided that you make a good faith effort to
++   ensure that, in the event an Application does not supply the
++   function or data, the facility still operates, and performs
++   whatever part of its purpose remains meaningful, or
++
++   b) under the GNU GPL, with none of the additional permissions of
++   this License applicable to that copy.
++
++  3. Object Code Incorporating Material from Library Header Files.
++
++  The object code form of an Application may incorporate material from
++a header file that is part of the Library.  You may convey such object
++code under terms of your choice, provided that, if the incorporated
++material is not limited to numerical parameters, data structure
++layouts and accessors, or small macros, inline functions and templates
++(ten or fewer lines in length), you do both of the following:
++
++   a) Give prominent notice with each copy of the object code that the
++   Library is used in it and that the Library and its use are
++   covered by this License.
++
++   b) Accompany the object code with a copy of the GNU GPL and this license
++   document.
++
++  4. Combined Works.
++
++  You may convey a Combined Work under terms of your choice that,
++taken together, effectively do not restrict modification of the
++portions of the Library contained in the Combined Work and reverse
++engineering for debugging such modifications, if you also do each of
++the following:
++
++   a) Give prominent notice with each copy of the Combined Work that
++   the Library is used in it and that the Library and its use are
++   covered by this License.
++
++   b) Accompany the Combined Work with a copy of the GNU GPL and this license
++   document.
++
++   c) For a Combined Work that displays copyright notices during
++   execution, include the copyright notice for the Library among
++   these notices, as well as a reference directing the user to the
++   copies of the GNU GPL and this license document.
++
++   d) Do one of the following:
++
++       0) Convey the Minimal Corresponding Source under the terms of this
++       License, and the Corresponding Application Code in a form
++       suitable for, and under terms that permit, the user to
++       recombine or relink the Application with a modified version of
++       the Linked Version to produce a modified Combined Work, in the
++       manner specified by section 6 of the GNU GPL for conveying
++       Corresponding Source.
++
++       1) Use a suitable shared library mechanism for linking with the
++       Library.  A suitable mechanism is one that (a) uses at run time
++       a copy of the Library already present on the user's computer
++       system, and (b) will operate properly with a modified version
++       of the Library that is interface-compatible with the Linked
++       Version.
++
++   e) Provide Installation Information, but only if you would otherwise
++   be required to provide such information under section 6 of the
++   GNU GPL, and only to the extent that such information is
++   necessary to install and execute a modified version of the
++   Combined Work produced by recombining or relinking the
++   Application with a modified version of the Linked Version. (If
++   you use option 4d0, the Installation Information must accompany
++   the Minimal Corresponding Source and Corresponding Application
++   Code. If you use option 4d1, you must provide the Installation
++   Information in the manner specified by section 6 of the GNU GPL
++   for conveying Corresponding Source.)
++
++  5. Combined Libraries.
++
++  You may place library facilities that are a work based on the
++Library side by side in a single library together with other library
++facilities that are not Applications and are not covered by this
++License, and convey such a combined library under terms of your
++choice, if you do both of the following:
++
++   a) Accompany the combined library with a copy of the same work based
++   on the Library, uncombined with any other library facilities,
++   conveyed under the terms of this License.
++
++   b) Give prominent notice with the combined library that part of it
++   is a work based on the Library, and explaining where to find the
++   accompanying uncombined form of the same work.
++
++  6. Revised Versions of the GNU Lesser General Public License.
++
++  The Free Software Foundation may publish revised and/or new versions
++of the GNU Lesser General Public License from time to time. Such new
++versions will be similar in spirit to the present version, but may
++differ in detail to address new problems or concerns.
++
++  Each version is given a distinguishing version number. If the
++Library as you received it specifies that a certain numbered version
++of the GNU Lesser General Public License "or any later version"
++applies to it, you have the option of following the terms and
++conditions either of that published version or of any later version
++published by the Free Software Foundation. If the Library as you
++received it does not specify a version number of the GNU Lesser
++General Public License, you may choose any version of the GNU Lesser
++General Public License ever published by the Free Software Foundation.
++
++  If the Library as you received it specifies that a proxy can decide
++whether future versions of the GNU Lesser General Public License shall
++apply, that proxy's public statement of acceptance of any version is
++permanent authorization for you to choose that version for the
++Library.
++
 === added file '3rd_party/xdg/README.md'
 --- 3rd_party/xdg/README.md	1970-01-01 00:00:00 +0000
 +++ 3rd_party/xdg/README.md	2015-11-15 21:10:18 +0000
@@ -0,0 +1,87 @@
++# xdg
++
++A straightforward implementation of the XDG Base Directory Specification in C++11.
++I became tired of retyping and retesting the same functionality over and over again,
++so I decided to place my own little helper here.
++
++## Dependencies
++
++ - boost::filesystem: For handling all things filesystem paths.
++ - boost::system:: Required by boost::filesystem.
++ - boost::test: For testing purposes obviously.
++
++Install with
++```bash
++sudo apt-get install libboost-filesystem-dev libboost-system-dev libboost-test-dev
++```
++
++## Quick'n'Easy Integration
++
++xdg provides free functions that are easy to integrate with existing projects.
++```cpp
++#include <xdg.h>
++
++#include <iostream>
++
++int main()
++{
++	std::cout << xdg::data().home() << std::endl;
++	std::cout << xdg::config().home() << std::endl;
++	std::cout << xdg::cache().home() << std::endl;
++	std::cout << xdg::runtime().dir() << std::endl;
++
++	return 0;
++}
++```
++
++## Complete Integration
++
++The interface xdg::BaseDirSpecification can be used to integrate xdg base directory
++queries into a code base such that interaction with the xdg::BaseDirSpecification is testable.
++
++```cpp
++#include <xdg.h>
++
++class MyClass
++{
++public:
++    MyClass(const std::shared_ptr<xdg::BaseDirSpecification>& bds) : bds{bds}
++    {
++    }
++
++    void do_something()
++    {
++        // Query the user-specific config directory.
++        auto path = bds->config().home();
++        // Do something with the config files.
++    }
++private:
++	std::shared_ptr<xdg::BaseDirSpecification> bds;
++};
++
++// In the testing setup, under the assumption of Google Test and Google Mock.
++namespace
++{
++struct MockConfig : public xdg::Config
++{
++    // ...
++};
++struct MockBaseDirSpecification : public xdg::BaseDirSpecification
++{
++    // ...
++};
++}
++
++TEST(MyClass, do_something_queries_config_home_directory)
++{
++    using namespace ::testing;
++    auto config = std::make_shared<NiceMock<MockConfig>>();
++    EXPECT_CALL(*config, home()).Times(1).ReturnRepeatedly("/tmp");
++
++    auto bds = std::make_shared<NiceMock<MockBaseDirSpecification>>();
++    ON_CALL(*bds, config()).WillByDefault(ReturnRef(*config));
++
++    MyClass mc{bds};
++    mc.do_something();
++}
++```
 === added file '3rd_party/xdg/xdg.cpp'
 --- 3rd_party/xdg/xdg.cpp	1970-01-01 00:00:00 +0000
 +++ 3rd_party/xdg/xdg.cpp	2015-11-15 21:10:18 +0000
@@ -0,0 +1,203 @@
++// Copyright (C) 2015 Thomas Voß <thomas.voss.bochum@gmail.com>
++//
++// This library is free software: you can redistribute it and/or modify
++// it under the terms of the GNU Lesser General Public License as published
++// by the Free Software Foundation, either version 3 of the License, or
++// (at your option) any later version.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU Lesser General Public License
++// along with this program.  If not, see <http://www.gnu.org/licenses/>.
++
++#include <xdg.h>
++
++#include <boost/algorithm/string.hpp>
++
++#include <cstdlib>
++#include <stdexcept>
++
++namespace fs = boost::filesystem;
++
++namespace
++{
++
++fs::path throw_if_not_absolute(const fs::path& p)
++{
++    if (p.has_root_directory())
++        return p;
++
++    throw std::runtime_error{"Directores MUST be absolute."};
++}
++
++namespace env
++{
++std::string get(const std::string& key, const std::string& default_value)
++{
++    if (auto value = std::getenv(key.c_str()))
++        return value;
++    return default_value;
++}
++
++std::string get_or_throw(const std::string& key)
++{
++    if (auto value = std::getenv(key.c_str()))
++    {
++        return value;
++    }
++
++    throw std::runtime_error{key + " not set in environment"};
++}
++
++constexpr const char* xdg_data_home{"XDG_DATA_HOME"};
++constexpr const char* xdg_data_dirs{"XDG_DATA_DIRS"};
++constexpr const char* xdg_config_home{"XDG_CONFIG_HOME"};
++constexpr const char* xdg_config_dirs{"XDG_CONFIG_DIRS"};
++constexpr const char* xdg_cache_home{"XDG_CACHE_HOME"};
++constexpr const char* xdg_runtime_dir{"XDG_RUNTIME_DIR"};
++}
++
++namespace impl
++{
++class BaseDirSpecification : public xdg::BaseDirSpecification
++{
++public:
++    static const BaseDirSpecification& instance()
++    {
++        static const BaseDirSpecification spec;
++        return spec;
++    }
++
++    BaseDirSpecification()
++    {
++    }
++
++    const xdg::Data& data() const override
++    {
++        return data_;
++    }
++
++    const xdg::Config& config() const override
++    {
++        return config_;
++    }
++
++    const xdg::Cache& cache() const override
++    {
++        return cache_;
++    }
++
++    const xdg::Runtime& runtime() const override
++    {
++        return runtime_;
++    }
++
++private:
++    xdg::Data data_;
++    xdg::Config config_;
++    xdg::Cache cache_;
++    xdg::Runtime runtime_;
++};
++}
++}
++
++fs::path xdg::Data::home() const
++{
++    auto v = env::get(env::xdg_data_home, "");
++    if (v.empty())
++        return throw_if_not_absolute(fs::path{env::get_or_throw("HOME")} / ".local" / "share");
++
++    return throw_if_not_absolute(fs::path(v));
++}
++
++std::vector<fs::path> xdg::Data::dirs() const
++{
++    auto v = env::get(env::xdg_data_dirs, "");
++    if (v.empty())
++        return {fs::path{"/usr/local/share"}, fs::path{"/usr/share"}};
++
++    std::vector<std::string> tokens;
++    tokens = boost::split(tokens, v, boost::is_any_of(":"));
++    std::vector<fs::path> result;
++    for (const auto& token : tokens)
++    {
++        result.push_back(throw_if_not_absolute(fs::path(token)));
++    }
++    return result;
++}
++
++fs::path xdg::Config::home() const
++{
++    auto v = env::get(env::xdg_config_home, "");
++    if (v.empty())
++        return throw_if_not_absolute(fs::path{env::get_or_throw("HOME")} / ".config");
++
++    return throw_if_not_absolute(fs::path(v));
++}
++
++std::vector<fs::path> xdg::Config::dirs() const
++{
++    auto v = env::get(env::xdg_config_dirs, "");
++    if (v.empty())
++        return {fs::path{"/etc/xdg"}};
++
++    std::vector<std::string> tokens;
++    tokens = boost::split(tokens, v, boost::is_any_of(":"));
++    std::vector<fs::path> result;
++    for (const auto& token : tokens)
++    {
++        fs::path p(token);
++        result.push_back(throw_if_not_absolute(p));
++    }
++    return result;
++}
++
++fs::path xdg::Cache::home() const
++{
++    auto v = env::get(env::xdg_cache_home, "");
++    if (v.empty())
++        return throw_if_not_absolute(fs::path{env::get_or_throw("HOME")} / ".cache");
++
++    return throw_if_not_absolute(fs::path(v));
++}
++
++fs::path xdg::Runtime::dir() const
++{
++    auto v = env::get(env::xdg_config_home, "");
++    if (v.empty())
++    {
++        // We do not fall back gracefully and instead throw, dispatching to calling
++        // code for handling the case of a safe user-specfic runtime directory missing.
++        throw std::runtime_error{"Runtime directory not set"};
++    }
++
++    return throw_if_not_absolute(fs::path(v));
++}
++
++std::shared_ptr<xdg::BaseDirSpecification> xdg::BaseDirSpecification::create()
++{
++    return std::make_shared<impl::BaseDirSpecification>();
++}
++
++const xdg::Data& xdg::data()
++{
++    return impl::BaseDirSpecification::instance().data();
++}
++
++const xdg::Config& xdg::config()
++{
++    return impl::BaseDirSpecification::instance().config();
++}
++
++const xdg::Cache& xdg::cache()
++{
++    return impl::BaseDirSpecification::instance().cache();
++}
++
++const xdg::Runtime& xdg::runtime()
++{
++    return impl::BaseDirSpecification::instance().runtime();
++}
 === added file '3rd_party/xdg/xdg.h'
 --- 3rd_party/xdg/xdg.h	1970-01-01 00:00:00 +0000
 +++ 3rd_party/xdg/xdg.h	2015-11-15 21:10:18 +0000
@@ -0,0 +1,118 @@
++// Copyright (C) 2015 Thomas Voß <thomas.voss.bochum@gmail.com>
++//
++// This library is free software: you can redistribute it and/or modify
++// it under the terms of the GNU Lesser General Public License as published
++// by the Free Software Foundation, either version 3 of the License, or
++// (at your option) any later version.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU Lesser General Public License
++// along with this program.  If not, see <http://www.gnu.org/licenses/>.
++#ifndef XDG_H_
++#define XDG_H_
++
++#include <boost/filesystem.hpp>
++
++#include <string>
++#include <vector>
++
++namespace xdg
++{
++// NotCopyable deletes the copy c'tor and the assignment operator.
++struct NotCopyable
++{
++    NotCopyable() = default;
++    NotCopyable(const NotCopyable&) = delete;
++    virtual ~NotCopyable() = default;
++    NotCopyable& operator=(const NotCopyable&) = delete;
++};
++
++// NotMoveable deletes the move c'tor and the move assignment operator.
++struct NotMoveable
++{
++    NotMoveable() = default;
++    NotMoveable(NotMoveable&&) = delete;
++    virtual ~NotMoveable() = default;
++    NotMoveable& operator=(NotMoveable&&) = delete;
++};
++
++// Data provides functions to query the XDG_DATA_* entries.
++class Data : NotCopyable, NotMoveable
++{
++public:
++    // home returns the base directory relative to which user specific
++    // data files should be stored.
++    virtual boost::filesystem::path home() const;
++    // dirs returns the preference-ordered set of base directories to
++    // search for data files in addition to the $XDG_DATA_HOME base
++    // directory.
++    virtual std::vector<boost::filesystem::path> dirs() const;
++};
++
++// Config provides functions to query the XDG_CONFIG_* entries.
++class Config : NotCopyable, NotMoveable
++{
++public:
++    // home returns the base directory relative to which user specific
++    // configuration files should be stored.
++    virtual boost::filesystem::path home() const;
++    // dirs returns the preference-ordered set of base directories to
++    // search for configuration files in addition to the
++    // $XDG_CONFIG_HOME base directory.
++    virtual std::vector<boost::filesystem::path> dirs() const;
++};
++
++// Cache provides functions to query the XDG_CACHE_HOME entry.
++class Cache : NotCopyable, NotMoveable
++{
++public:
++    // home returns the base directory relative to which user specific
++    // non-essential data files should be stored.
++    virtual boost::filesystem::path home() const;
++};
++
++// Runtime provides functions to query the XDG_RUNTIME_DIR entry.
++class Runtime : NotCopyable, NotMoveable
++{
++public:
++    // home returns the base directory relative to which user-specific
++    // non-essential runtime files and other file objects (such as
++    // sockets, named pipes, ...) should be stored.
++    virtual boost::filesystem::path dir() const;
++};
++
++// A BaseDirSpecification implements the XDG base dir specification:
++//   http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
++class BaseDirSpecification : NotCopyable, NotMoveable
++{
++public:
++    // create returns an Implementation of BaseDirSpecification.
++    static std::shared_ptr<BaseDirSpecification> create();
++
++    // data returns an immutable Data instance.
++    virtual const Data& data() const = 0;
++    // config returns an immutable Config instance.
++    virtual const Config& config() const = 0;
++    // cache returns an immutable Cache instance.
++    virtual const Cache& cache() const = 0;
++    // runtime returns an immutable Runtime instance.
++    virtual const Runtime& runtime() const = 0;
++protected:
++    BaseDirSpecification() = default;
++};
++
++// data returns an immutable reference to a Data instance.
++const Data& data();
++// config returns an immutable reference to a Config instance.
++const Config& config();
++// cache returns an immutable reference to a Cache instance.
++const Cache& cache();
++// runtime returns an immutable reference to a Runtime instance.
++const Runtime& runtime();
++}
++
++#endif // XDG_H_
 === added file '3rd_party/xdg/xdg_test.cpp'
 --- 3rd_party/xdg/xdg_test.cpp	1970-01-01 00:00:00 +0000
 +++ 3rd_party/xdg/xdg_test.cpp	2015-11-15 21:10:18 +0000
@@ -0,0 +1,130 @@
++// Copyright (C) 2015 Thomas Voß <thomas.voss.bochum@gmail.com>
++//
++// This library is free software: you can redistribute it and/or modify
++// it under the terms of the GNU Lesser General Public License as published
++// by the Free Software Foundation, either version 3 of the License, or
++// (at your option) any later version.
++//
++// This program is distributed in the hope that it will be useful,
++// but WITHOUT ANY WARRANTY; without even the implied warranty of
++// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++// GNU General Public License for more details.
++//
++// You should have received a copy of the GNU Lesser General Public License
++// along with this program.  If not, see <http://www.gnu.org/licenses/>.
++
++#include <xdg.h>
++
++#include <boost/test/unit_test.hpp>
++
++#include <cstdlib>
++#include <iostream>
++
++BOOST_AUTO_TEST_CASE(XdgDataHomeThrowsForRelativeDirectoryFromEnv)
++{
++    ::setenv("XDG_DATA_HOME", "tmp", 1);
++    BOOST_CHECK_THROW(xdg::BaseDirSpecification::create()->data().home(), std::runtime_error);
++    BOOST_CHECK_THROW(xdg::data().home(), std::runtime_error);
++}
++
++BOOST_AUTO_TEST_CASE(XdgDataHomeReturnsDefaultValueForEmptyEnv)
++{
++    ::setenv("HOME", "/tmp", 1);
++    ::setenv("XDG_DATA_HOME", "", 1);
++    BOOST_CHECK_EQUAL("/tmp/.local/share", xdg::BaseDirSpecification::create()->data().home());
++    BOOST_CHECK_EQUAL("/tmp/.local/share", xdg::data().home());
++}
++
++BOOST_AUTO_TEST_CASE(XdgDataDirsCorrectlyTokenizesEnv)
++{
++    ::setenv("XDG_DATA_DIRS", "/tmp:/tmp", 1);
++    BOOST_CHECK(2 == xdg::BaseDirSpecification::create()->data().dirs().size());
++    BOOST_CHECK(2 == xdg::data().dirs().size());
++}
++
++BOOST_AUTO_TEST_CASE(XdgDataDirsThrowsForRelativeDirectoryFromEnv)
++{
++    ::setenv("XDG_DATA_DIRS", "/tmp:tmp", 1);
++    BOOST_CHECK_THROW(xdg::BaseDirSpecification::create()->data().dirs(), std::runtime_error);
++    BOOST_CHECK_THROW(xdg::data().dirs(), std::runtime_error);
++}
++
++BOOST_AUTO_TEST_CASE(XdgDataDirsReturnsDefaultValueForEmptyEnv)
++{
++    ::setenv("XDG_DATA_DIRS", "", 1);
++    auto dirs = xdg::data().dirs();
++    BOOST_CHECK_EQUAL("/usr/local/share", dirs[0]);
++    BOOST_CHECK_EQUAL("/usr/share", dirs[1]);
++
++    dirs = xdg::BaseDirSpecification::create()->data().dirs();
++    BOOST_CHECK_EQUAL("/usr/local/share", dirs[0]);
++    BOOST_CHECK_EQUAL("/usr/share", dirs[1]);
++}
++
++BOOST_AUTO_TEST_CASE(XdgConfigHomeThrowsForRelativeDirectoryFromEnv)
++{
++    ::setenv("XDG_CONFIG_HOME", "tmp", 1);
++    BOOST_CHECK_THROW(xdg::BaseDirSpecification::create()->config().home(), std::runtime_error);
++    BOOST_CHECK_THROW(xdg::config().home(), std::runtime_error);
++}
++
++BOOST_AUTO_TEST_CASE(XdgConfigHomeReturnsDefaultValueForEmptyEnv)
++{
++    ::setenv("HOME", "/tmp", 1);
++    ::setenv("XDG_CONFIG_HOME", "", 1);
++    BOOST_CHECK_EQUAL("/tmp/.config", xdg::BaseDirSpecification::create()->config().home());
++    BOOST_CHECK_EQUAL("/tmp/.config", xdg::config().home());
++}
++
++BOOST_AUTO_TEST_CASE(XdgConfigDirsCorrectlyTokenizesEnv)
++{
++    ::setenv("XDG_CONFIG_DIRS", "/tmp:/tmp", 1);
++    BOOST_CHECK(2 == xdg::BaseDirSpecification::create()->config().dirs().size());
++    BOOST_CHECK(2 == xdg::config().dirs().size());
++}
++
++BOOST_AUTO_TEST_CASE(XdgConfigDirsThrowsForRelativeDirectoryFromEnv)
++{
++    ::setenv("XDG_CONFIG_DIRS", "/tmp:tmp", 1);
++    BOOST_CHECK_THROW(xdg::BaseDirSpecification::create()->config().dirs(), std::runtime_error);
++    BOOST_CHECK_THROW(xdg::config().dirs(), std::runtime_error);
++}
++
++BOOST_AUTO_TEST_CASE(XdgConfigDirsReturnsDefaultValueForEmptyEnv)
++{
++    ::setenv("XDG_CONFIG_DIRS", "", 1);
++    auto dirs = xdg::config().dirs();
++    BOOST_CHECK_EQUAL("/etc/xdg", dirs[0]);
++    dirs = xdg::BaseDirSpecification::create()->config().dirs();
++    BOOST_CHECK_EQUAL("/etc/xdg", dirs[0]);
++}
++
++BOOST_AUTO_TEST_CASE(XdgCacheHomeThrowsForRelativeDirectoryFromEnv)
++{
++    ::setenv("XDG_CACHE_HOME", "tmp", 1);
++    BOOST_CHECK_THROW(xdg::BaseDirSpecification::create()->cache().home(), std::runtime_error);
++    BOOST_CHECK_THROW(xdg::cache().home(), std::runtime_error);
++}
++
++BOOST_AUTO_TEST_CASE(XdgCacheHomeReturnsDefaultValueForEmptyEnv)
++{
++    ::setenv("HOME", "/tmp", 1);
++    ::setenv("XDG_CACHE_HOME", "", 1);
++    BOOST_CHECK_EQUAL("/tmp/.cache", xdg::BaseDirSpecification::create()->cache().home());
++    BOOST_CHECK_EQUAL("/tmp/.cache", xdg::cache().home());
++}
++
++BOOST_AUTO_TEST_CASE(XdgRuntimeDirThrowsForRelativeDirectoryFromEnv)
++{
++    ::setenv("XDG_RUNTIME_DIR", "tmp", 1);
++    BOOST_CHECK_THROW(xdg::BaseDirSpecification::create()->runtime().dir(), std::runtime_error);
++    BOOST_CHECK_THROW(xdg::runtime().dir(), std::runtime_error);
++}
++
++BOOST_AUTO_TEST_CASE(XdgRuntimeDirThrowsForEmptyEnv)
++{
++    ::setenv("XDG_RUNTIME_DIR", "", 1);
++    BOOST_CHECK_THROW(xdg::BaseDirSpecification::create()->runtime().dir(), std::runtime_error);
++    BOOST_CHECK_THROW(xdg::runtime().dir(), std::runtime_error);
++}
++
 === modified file 'CMakeLists.txt'
 --- CMakeLists.txt	2015-08-31 13:16:20 +0000
 +++ CMakeLists.txt	2015-11-15 21:10:18 +0000
@@ -28,7 +28,9 @@
  ENDIF(CMAKE_BUILD_TYPE MATCHES [cC][oO][vV][eE][rR][aA][gG][eE])
  find_package(PkgConfig)
--find_package(Boost COMPONENTS program_options system REQUIRED)
++find_package(Boost COMPONENTS filesystem program_options system REQUIRED)
++
++add_subdirectory(3rd_party/xdg)
  option(
    TRUST_STORE_MIR_AGENT_ENABLED
@@ -54,6 +56,7 @@
  include_directories(
    include/
++  3rd_party/xdg
    ${GFLAGS_INCLUDE_DIRS}
    ${GLOG_INCLUDE_DIRS}
 === modified file 'debian/control'
 --- debian/control	2015-08-31 13:16:20 +0000
 +++ debian/control	2015-11-15 21:10:18 +0000
@@ -7,11 +7,14 @@
                 google-mock,
                 graphviz,
                 libapparmor-dev,
++               libboost-filesystem-dev,
                 libboost-program-options-dev,
                 libboost-system-dev,
++               libboost-test-dev,
                 libdbus-cpp-dev (>= 4.0.0),
                 libdbus-1-dev,
                 libgflags-dev,
++               libglib2.0-dev,
                 libgoogle-glog-dev,
                 libgtest-dev,
                 libjson-c-dev,
 === modified file 'debian/source/format'
 --- debian/source/format	2014-08-14 13:05:04 +0000
 +++ debian/source/format	2015-11-15 21:10:18 +0000
@@ -1,1 +1,1 @@
--3.0 (quilt)
++3.0 (native)
 === modified file 'src/CMakeLists.txt'
 --- src/CMakeLists.txt	2015-08-31 13:16:20 +0000
 +++ src/CMakeLists.txt	2015-11-15 21:10:18 +0000
@@ -20,6 +20,8 @@
  pkg_check_modules(DBUS_CPP dbus-cpp REQUIRED)
  pkg_check_modules(DBUS dbus-1 REQUIRED)
++pkg_check_modules(GLIB glib-2.0 REQUIRED)
++pkg_check_modules(GOBJECT gobject-2.0 REQUIRED)
  pkg_check_modules(LIBAPPARMOR libapparmor REQUIRED)
  pkg_check_modules(SQLITE3 sqlite3 REQUIRED)
@@ -28,6 +30,8 @@
  include_directories(
    ${DBUS_CPP_INCLUDE_DIRS}
    ${DBUS_INCLUDE_DIRS}
++  ${GLIB_INCLUDE_DIRS}
++  ${GOBJECT_INCLUDE_DIRS}
    ${LIBAPPARMOR_INCLUDE_DIRS}
    ${SQLITE3_INCLUDE_DIRS}
+ )
@@ -70,6 +74,7 @@
      # to prompt the user for trusting an application to access a trusted
      # system service.
      core/trust/mir/agent.cpp
++    core/trust/mir/click_desktop_entry_app_name_resolver.cpp
+   )
    # Make sure Qt does not inject evil macros like 'signals' and 'slots'.
@@ -180,11 +185,14 @@
    trust-store
    dbus-cpp
++  xdg
    ${Boost_LIBRARIES}
    ${DBUS_LIBRARIES}
    ${GFLAGS_LDFLAGS}
    ${GLOG_LDFLAGS}
++  ${GLIB_LDFLAGS}
++  ${GOBJECT_LDFLAGS}
    ${LIBAPPARMOR_LDFLAGS}
    ${MIR_CLIENT_LDFLAGS}
    ${PROCESS_CPP_LDFLAGS}
 === modified file 'src/core/trust/impl/sqlite3/store.cpp'
 --- src/core/trust/impl/sqlite3/store.cpp	2014-11-14 12:17:24 +0000
 +++ src/core/trust/impl/sqlite3/store.cpp	2015-11-15 21:10:18 +0000
@@ -21,6 +21,7 @@
  #include <core/posix/this_process.h>
  #include <sqlite3.h>
++#include <xdg.h>
  #include <cstring>
  #include <iostream>
@@ -32,16 +33,9 @@
  namespace core
+ {
--std::string home()
--{
--    return core::posix::this_process::env::get_or_throw("HOME");
--}
--
  std::string runtime_persistent_data_dir()
+ {
--    return core::posix::this_process::env::get(
--                "XDG_DATA_HOME",
--                home() + "/.local/share");
++    return xdg::data().home().string();
+ }
  struct Directory
 === modified file 'src/core/trust/mir/agent.cpp'
 --- src/core/trust/mir/agent.cpp	2015-08-31 13:16:20 +0000
 +++ src/core/trust/mir/agent.cpp	2015-11-15 21:10:18 +0000
@@ -134,21 +134,7 @@
+ {
      static auto child_setup = []() {};
--    // We translate to human readable strings here, and do it a non-translateable way first
--    // We post-process the application id and try to extract the unversioned package name.
--    // Please see https://wiki.ubuntu.com/AppStore/Interfaces/ApplicationId.
--    static const std::regex regex_full_app_id{"(.*)_(.*)_(.*)"};
--    static const std::regex regex_short_app_id{"(.*)_(.*)"};
--    static constexpr std::size_t index_app{2};
--
      auto app_name = args.application_id;
--
--    std::smatch match;
--    if (std::regex_match(app_name, match, regex_full_app_id))
--        app_name = std::string{match[index_app]};
--    else if (std::regex_match(app_name, match, regex_short_app_id))
--        app_name = std::string{match[index_app]};
--
      auto description = (boost::format(i18n::tr(args.description, i18n::service_text_domain())) % app_name).str();
      std::vector<std::string> argv
@@ -219,17 +205,8 @@
      };
+ }
--mir::Agent::Agent(
--        // VTable object providing access to Mir's trusted prompting functionality.
--        const mir::ConnectionVirtualTable::Ptr& connection_vtable,
--        // Exec helper for starting up prompt provider child processes with the correct setup
--        // of command line arguments and environment variables.
--        const mir::PromptProviderHelper::Ptr& exec_helper,
--        // A translator function for mapping child process exit states to trust::Request answers.
--        const std::function<core::trust::Request::Answer(const core::posix::wait::Result&)>& translator)
--    : connection_vtable(connection_vtable),
--      exec_helper(exec_helper),
--      translator(translator)
++mir::Agent::Agent(const mir::Agent::Configuration& config)
++    : config(config)
+ {
+ }
@@ -260,7 +237,7 @@
      } scope
+     {
          // We setup the prompt session and wire up to our own internal callback helper.
--        connection_vtable->create_prompt_session_sync(
++        config.connection_vtable->create_prompt_session_sync(
                      parameters.application.pid,
                      Agent::on_trust_session_changed_state,
                      &cb_context)
@@ -273,16 +250,16 @@
      mir::PromptProviderHelper::InvocationArguments args
+     {
          fd,
--        parameters.application.id,
++        config.app_name_resolver->resolve(parameters.application.id),
          parameters.description
      };
      // Ask the helper to fire up the prompt provider.
--    cb_context.prompt_provider_process = exec_helper->exec_prompt_provider_with_arguments(args);
++    cb_context.prompt_provider_process = config.exec_helper->exec_prompt_provider_with_arguments(args);
      // And subsequently wait for it to finish.
      auto result = cb_context.prompt_provider_process.wait_for(core::posix::wait::Flags::untraced);
--    return translator(result);
++    return config.translator(result);
+ }
  bool mir::operator==(const mir::PromptProviderHelper::InvocationArguments& lhs, const mir::PromptProviderHelper::InvocationArguments& rhs)
@@ -291,6 +268,7 @@
+ }
  #include "config.h"
++#include "click_desktop_entry_app_name_resolver.h"
  MirConnection* mir::connect(const std::string& endpoint, const std::string& name)
+ {
@@ -318,13 +296,8 @@
+         }
      };
--    return mir::Agent::Ptr
--    {
--        new mir::Agent
--        {
--            cvt,
--            pph,
--            mir::Agent::translator_only_accepting_exit_status_success()
--        }
--    };
++    mir::AppNameResolver::Ptr anr{new mir::ClickDesktopEntryAppNameResolver{}};
++
++    mir::Agent::Configuration config{cvt, pph, mir::Agent::translator_only_accepting_exit_status_success(), anr};
++    return mir::Agent::Ptr{new mir::Agent{config}};
+ }
 === modified file 'src/core/trust/mir/agent.h'
 --- src/core/trust/mir/agent.h	2014-10-07 19:27:18 +0000
 +++ src/core/trust/mir/agent.h	2015-11-15 21:10:18 +0000
@@ -146,6 +146,17 @@
      CreationArguments creation_arguments;
  };
++// An AppNameResolver resolves an application id to a localized application name.
++struct AppNameResolver
++{
++    // Save us some typing.
++    typedef std::shared_ptr<AppNameResolver> Ptr;
++
++    virtual ~AppNameResolver() = default;
++    // resolve maps app_id to a localized application name.
++    virtual std::string resolve(const std::string& app_id) = 0;
++};
++
  // Implements the trust::Agent interface and dispatches calls to a helper
  // prompt provider, tying it together with the requesting service and app
  // by leveraging Mir's trusted session/prompting support.
@@ -154,6 +165,20 @@
      // Convenience typedef
      typedef std::shared_ptr<Agent> Ptr;
++    // A Configuration bundles creation-time configuration options.
++    struct Configuration
++    {
++        // VTable object providing access to Mir's trusted prompting functionality.
++        ConnectionVirtualTable::Ptr connection_vtable;
++        // Exec helper for starting up prompt provider child processes with the correct setup
++        // of command line arguments and environment variables.
++        PromptProviderHelper::Ptr exec_helper;
++        // A translator function for mapping child process exit states to trust::Request answers.
++        std::function<core::trust::Request::Answer(const core::posix::wait::Result&)> translator;
++        // AppNameResolver used by the agent to map incoming request app ids to application names.
++        AppNameResolver::Ptr app_name_resolver;
++    };
++
      // Helper struct for injecting state into on_trust_changed_state_state callbacks.
      // Used in prompt_user_for_request to wait for the trust session to be stopped.
      struct OnTrustSessionStateChangedCallbackContext
@@ -177,26 +202,16 @@
      // Throws std::logic_error if the process did not exit but was signaled.
      static std::function<core::trust::Request::Answer(const core::posix::wait::Result&)> translator_only_accepting_exit_status_success();
--    // Creates a new MirAgent instance with the given MirConnectionVirtualTable instance.
--    Agent(// VTable object providing access to Mir's trusted prompting functionality.
--          const ConnectionVirtualTable::Ptr& connection_vtable,
--          // Exec helper for starting up prompt provider child processes with the correct setup
--          // of command line arguments and environment variables.
--          const PromptProviderHelper::Ptr& exec_helper,
--          // A translator function for mapping child process exit states to trust::Request answers.
--          const std::function<core::trust::Request::Answer(const core::posix::wait::Result&)>& translator);
++    // Creates a new MirAgent instance with the given Configuration.
++    Agent(const Configuration& config);
      // From core::trust::Agent:
      // Throws a std::logic_error if anything unforeseen happens during execution, thus
      // indicating that no conclusive answer could be obtained from the user.
      core::trust::Request::Answer authenticate_request_with_parameters(const RequestParameters& parameters) override;
--    // The connection VTable used for creating trusted prompting sessions.
--    ConnectionVirtualTable::Ptr connection_vtable;
--    // Execution helper for firing up prompt provider executables.
--    PromptProviderHelper::Ptr exec_helper;
--    // Translator instance.
--    std::function<core::trust::Request::Answer(const core::posix::wait::Result&)> translator;
++    // The configured options.
++    Configuration config;
  };
  CORE_TRUST_DLL_PUBLIC bool operator==(const PromptProviderHelper::InvocationArguments&, const PromptProviderHelper::InvocationArguments&);
 === added file 'src/core/trust/mir/click_desktop_entry_app_name_resolver.cpp'
 --- src/core/trust/mir/click_desktop_entry_app_name_resolver.cpp	1970-01-01 00:00:00 +0000
 +++ src/core/trust/mir/click_desktop_entry_app_name_resolver.cpp	2015-11-15 21:10:18 +0000
@@ -0,0 +1,106 @@
++/*
++ * Copyright © 2015 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU Lesser General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: Thomas Voß <thomas.voss@canonical.com>
++ */
++
++#include <core/trust/mir/click_desktop_entry_app_name_resolver.h>
++
++#include <glib.h>
++#include <xdg.h>
++
++#include <core/posix/this_process.h>
++
++#include <boost/algorithm/string.hpp>
++#include <boost/filesystem.hpp>
++#include <boost/format.hpp>
++
++#include <memory>
++#include <regex>
++#include <string>
++#include <stdexcept>
++#include <vector>
++
++namespace env = core::posix::this_process::env;
++namespace fs = boost::filesystem;
++namespace mir = core::trust::mir;
++
++namespace
++{
++boost::filesystem::path resolve_desktop_entry_or_throw(const std::string& app_id)
++{
++    boost::format pattern("%1%/applications/%2%.desktop");
++    fs::path p{(pattern % xdg::data().home().string() % app_id).str()};
++    if (fs::is_regular_file(p))
++        return p;
++
++    fs::path applications{xdg::data().home() / "applications"};
++    fs::directory_iterator it(applications), itE;
++    while (it != itE)
++    {
++        if (it->path().filename().string().find(app_id) == 0)
++            return it->path();
++        ++it;
++    }
++
++    for (auto dir : xdg::data().dirs())
++    {
++        fs::path p{(pattern % dir.string() % app_id).str()};
++        if (fs::is_regular_file(p))
++            return p;
++    }
++
++    throw std::runtime_error{"Could not resolve desktop entry for " + app_id};
++}
++
++// Wrap up a GError with an RAII approach, easing
++// cleanup if we throw an exception.
++struct Error
++{
++    ~Error() { clear(); }
++    void clear() { g_clear_error(&error); }
++
++    GError* error = nullptr;
++};
++
++std::string name_from_desktop_entry_or_throw(const fs::path& fn)
++{
++    Error g;
++    std::shared_ptr<GKeyFile> key_file{g_key_file_new(), [](GKeyFile* file) { if (file) g_key_file_free(file); }};
++
++    if (not g_key_file_load_from_file(key_file.get(), fn.string().c_str(), G_KEY_FILE_NONE, &g.error)) throw std::runtime_error
++    {
++        "Failed to load desktop entry [" + std::string(g.error->message) + "]"
++    };
++
++    auto app_name = g_key_file_get_locale_string(key_file.get(), G_KEY_FILE_DESKTOP_GROUP, G_KEY_FILE_DESKTOP_KEY_NAME, nullptr, &g.error);
++
++    if (g.error) throw std::runtime_error
++    {
++        "Failed to query localized name [" + std::string(g.error->message) + "]"
++    };
++
++    return app_name;
++}
++}
++
++mir::ClickDesktopEntryAppNameResolver::ClickDesktopEntryAppNameResolver()
++{
++}
++
++std::string mir::ClickDesktopEntryAppNameResolver::resolve(const std::string& app_id)
++{
++    return name_from_desktop_entry_or_throw(resolve_desktop_entry_or_throw(app_id));
++}
 === added file 'src/core/trust/mir/click_desktop_entry_app_name_resolver.h'
 --- src/core/trust/mir/click_desktop_entry_app_name_resolver.h	1970-01-01 00:00:00 +0000
 +++ src/core/trust/mir/click_desktop_entry_app_name_resolver.h	2015-11-15 21:10:18 +0000
@@ -0,0 +1,49 @@
++/*
++ * Copyright © 2015 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU Lesser General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: Thomas Voß <thomas.voss@canonical.com>
++ */
++
++#ifndef CORE_TRUST_MIR_CLICK_DESKTOP_ENTRY_APP_NAME_RESOLVER_H_
++#define CORE_TRUST_MIR_CLICK_DESKTOP_ENTRY_APP_NAME_RESOLVER_H_
++
++#include <core/trust/mir/agent.h>
++
++namespace core
++{
++namespace trust
++{
++namespace mir
++{
++// A ClickDesktopEntryAppNameResolver queries the click database of installed
++// packages to resolve an app's installation folder in the local filesystem.
++// The directory is searched for a .desktop file, that is then loaded and queried
++// for the app's localized name.
++class CORE_TRUST_DLL_PUBLIC ClickDesktopEntryAppNameResolver : public AppNameResolver
++{
++public:
++    // ClickDesktopEntryAppNameResolver sets up an instance with default dbs.
++    ClickDesktopEntryAppNameResolver();
++
++    // resolve queries the click index and an apps desktop file entry for
++    // obtaining a localized application name. Throws std::runtime_error in
++    // case of issues.
++    std::string resolve(const std::string& app_id) override;
++};
++}
++}
++}
++
++#endif // CORE_TRUST_MIR_CLICK_DESKTOP_ENTRY_APP_NAME_RESOLVER_H_
 === modified file 'tests/CMakeLists.txt'
 --- tests/CMakeLists.txt	2014-11-14 12:17:24 +0000
 +++ tests/CMakeLists.txt	2015-11-15 21:10:18 +0000
@@ -242,20 +242,41 @@
      mir_agent_test.cpp
+   )
++  add_executable(
++    click_desktop_entry_app_name_resolver_test
++    click_desktop_entry_app_name_resolver_test.cpp
++  )
++
    target_link_libraries(
      mir_agent_test
      trust-store
--
--    gmock
--
--    gtest
--    gtest_main
--
--    ${PROCESS_CPP_LIBRARIES}
--  )
++    xdg
++
++    gmock
++
++    gtest
++    gtest_main
++
++    ${PROCESS_CPP_LIBRARIES}
++  )
++
++  target_link_libraries(
++    click_desktop_entry_app_name_resolver_test
++
++    trust-store
++
++    gmock
++
++    gtest
++    gtest_main
++
++    ${PROCESS_CPP_LIBRARIES}
++  )
++
    add_test(mir_agent_test ${CMAKE_CURRENT_BINARY_DIR}/mir_agent_test --gtest_filter=*-*requires_mir)
++  add_test(click_desktop_entry_app_name_resolver_test ${CMAKE_CURRENT_BINARY_DIR}/click_desktop_entry_app_name_resolver_test)
    install(
      TARGETS mir_agent_test
 === added file 'tests/click_desktop_entry_app_name_resolver_test.cpp'
 --- tests/click_desktop_entry_app_name_resolver_test.cpp	1970-01-01 00:00:00 +0000
 +++ tests/click_desktop_entry_app_name_resolver_test.cpp	2015-11-15 21:10:18 +0000
@@ -0,0 +1,60 @@
++/*
++ * Copyright © 2013 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify it
++ * under the terms of the GNU Lesser General Public License version 3,
++ * as published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: Thomas Voß <thomas.voss@canonical.com>
++ */
++
++#include <core/trust/mir/click_desktop_entry_app_name_resolver.h>
++#include <core/posix/this_process.h>
++#include "test_data.h"
++
++#include <gtest/gtest.h>
++
++namespace env = core::posix::this_process::env;
++namespace mir = core::trust::mir;
++
++TEST(ClickDesktopEntryAppNameResolver, throws_for_invalid_app_id)
++{
++    mir::ClickDesktopEntryAppNameResolver resolver;
++    EXPECT_THROW(resolver.resolve(""), std::runtime_error);
++    EXPECT_THROW(resolver.resolve("something:not:right"), std::runtime_error);
++}
++
++TEST(ClickDesktopEntryAppNameResolver, resolves_existing_desktop_entry_from_xdg_data_home)
++{
++    env::unset_or_throw("XDG_DATA_HOME");
++    env::set_or_throw("XDG_DATA_HOME", core::trust::testing::current_source_dir + std::string("/share"));
++    mir::ClickDesktopEntryAppNameResolver resolver;
++    EXPECT_NO_THROW(resolver.resolve("valid.pkg_app_0.0.0"));
++}
++
++TEST(ClickDesktopEntryAppNameResolver, robustly_resolves_existing_desktop_entry_from_xdg_data_home)
++{
++    env::unset_or_throw("XDG_DATA_HOME");
++    env::set_or_throw("XDG_DATA_HOME", core::trust::testing::current_source_dir + std::string("/share"));
++
++    mir::ClickDesktopEntryAppNameResolver resolver;
++    EXPECT_NO_THROW(resolver.resolve("valid.pkg_app"));
++}
++
++TEST(ClickDesktopEntryAppNameResolver, resolves_existing_desktop_entry_from_xdg_data_dirs)
++{
++    env::unset_or_throw("XDG_DATA_HOME"); env::unset_or_throw("XDG_DATA_DIRS");
++    env::set_or_throw("XDG_DATA_HOME", core::trust::testing::current_source_dir + std::string("/empty"));
++    env::set_or_throw("XDG_DATA_DIRS", core::trust::testing::current_source_dir + std::string("/share"));
++
++    mir::ClickDesktopEntryAppNameResolver resolver;
++    resolver.resolve("valid.pkg_app_0.0.0");
++}
 === added directory 'tests/empty'
 === added directory 'tests/empty/applications'
 === modified file 'tests/mir_agent_test.cpp'
 --- tests/mir_agent_test.cpp	2014-10-07 19:27:18 +0000
 +++ tests/mir_agent_test.cpp	2015-11-15 21:10:18 +0000
@@ -99,6 +99,11 @@
      MOCK_METHOD1(translate, core::trust::Request::Answer(const core::posix::wait::Result&));
  };
++struct MockAppNameResolver : public core::trust::mir::AppNameResolver
++{
++    MOCK_METHOD1(resolve, std::string(const std::string&));
++};
++
  std::shared_ptr<MockConnectionVirtualTable> a_mocked_connection_vtable()
+ {
      return std::make_shared<testing::NiceMock<MockConnectionVirtualTable>>();
@@ -117,6 +122,11 @@
                      "/bin/false"
                  });
+ }
++
++std::shared_ptr<MockAppNameResolver> a_mocked_app_name_resolver()
++{
++    return std::make_shared<MockAppNameResolver>();
++}
+ }
  TEST(DefaultProcessStateTranslator, throws_for_signalled_process)
@@ -209,6 +219,7 @@
      auto prompt_session_vtable = a_mocked_prompt_session_vtable();
      auto prompt_provider_exec_helper = a_mocked_prompt_provider_calling_bin_false();
++    auto app_name_resolver = a_mocked_app_name_resolver();
      ON_CALL(*connection_vtable, create_prompt_session_sync(_, _, _))
              .WillByDefault(Return(prompt_session_vtable));
@@ -219,6 +230,9 @@
      ON_CALL(*prompt_session_vtable, add_prompt_provider_sync(_))
              .WillByDefault(Return(true));
++    ON_CALL(*app_name_resolver, resolve(_))
++            .WillByDefault(ReturnArg<0>());
++
      EXPECT_CALL(*connection_vtable, create_prompt_session_sync(app_pid, _, _)).Times(1);
      EXPECT_CALL(*prompt_session_vtable, new_fd_for_prompt_provider()).Times(1);
@@ -228,21 +242,87 @@
      core::trust::mir::Agent agent
+     {
--        connection_vtable,
--        prompt_provider_exec_helper,
--        core::trust::mir::Agent::translator_only_accepting_exit_status_success()
--    };
--
--    EXPECT_EQ(core::trust::Request::Answer::denied, // /bin/false exits with failure.
--              agent.authenticate_request_with_parameters(
--                  core::trust::Agent::RequestParameters
--                  {
--                     core::trust::Uid{::getuid()},
--                     app_pid,
--                     app_id,
--                     feature,
--                     app_description
--                  }));
++        core::trust::mir::Agent::Configuration
++        {
++            connection_vtable,
++            prompt_provider_exec_helper,
++            core::trust::mir::Agent::translator_only_accepting_exit_status_success(),
++            app_name_resolver
++        }
++    };
++
++    EXPECT_EQ(core::trust::Request::Answer::denied, // /bin/false exits with failure.
++              agent.authenticate_request_with_parameters(
++                  core::trust::Agent::RequestParameters
++                  {
++                     core::trust::Uid{::getuid()},
++                     app_pid,
++                     app_id,
++                     feature,
++                     app_description
++                  }));
++}
++
++TEST(MirAgent, calls_into_app_name_resolver_with_app_id)
++{
++    using namespace ::testing;
++
++    const core::trust::Pid app_pid {21};
++    const std::string app_id {"does.not.exist.application"};
++    const std::string app_name{"MeMyselfAndI"};
++    const core::trust::Feature feature{42};
++    const std::string app_description {"This is just an extended description for %1%"};
++    const int pre_authenticated_fd {42};
++
++    const core::trust::mir::PromptProviderHelper::InvocationArguments reference_invocation_args
++    {
++        pre_authenticated_fd,
++        app_name,
++        app_description
++    };
++
++    auto connection_vtable = a_mocked_connection_vtable();
++    auto prompt_session_vtable = a_mocked_prompt_session_vtable();
++
++    auto prompt_provider_exec_helper = a_mocked_prompt_provider_calling_bin_false();
++    auto app_name_resolver = a_mocked_app_name_resolver();
++
++    ON_CALL(*connection_vtable, create_prompt_session_sync(_, _, _))
++            .WillByDefault(Return(prompt_session_vtable));
++
++    ON_CALL(*prompt_session_vtable, new_fd_for_prompt_provider())
++            .WillByDefault(Return(pre_authenticated_fd));
++
++    ON_CALL(*prompt_session_vtable, add_prompt_provider_sync(_))
++            .WillByDefault(Return(true));
++
++    EXPECT_CALL(*app_name_resolver, resolve(app_id)).Times(1).WillRepeatedly(Return(app_name));
++    EXPECT_CALL(*prompt_provider_exec_helper,
++                exec_prompt_provider_with_arguments(
++                    reference_invocation_args)).Times(1);
++
++    core::trust::mir::Agent agent
++    {
++        core::trust::mir::Agent::Configuration
++        {
++            connection_vtable,
++            prompt_provider_exec_helper,
++            core::trust::mir::Agent::translator_only_accepting_exit_status_success(),
++            app_name_resolver
++        }
++    };
++
++    EXPECT_EQ(core::trust::Request::Answer::denied, // /bin/false exits with failure.
++              agent.authenticate_request_with_parameters(
++                  core::trust::Agent::RequestParameters
++                  {
++                     core::trust::Uid{::getuid()},
++                     app_pid,
++                     app_id,
++                     feature,
++                     app_description
++                  }));
++
+ }
  TEST(MirAgent, sig_kills_prompt_provider_process_on_status_change)
@@ -270,6 +350,8 @@
      auto prompt_provider_helper = std::make_shared<MockPromptProviderHelper>(
                  core::trust::mir::PromptProviderHelper::CreationArguments{"/bin/false"});
++    auto app_name_resolver = a_mocked_app_name_resolver();
++
      void* prompt_session_state_callback_context{nullptr};
      ON_CALL(*prompt_provider_helper, exec_prompt_provider_with_arguments(_))
@@ -289,6 +371,9 @@
                  Return(
                      true));
++    ON_CALL(*app_name_resolver, resolve(_))
++            .WillByDefault(ReturnArg<0>());
++
      // An invocation results in a session being created. In addition,
      // we store pointers to callback and context provided by the implementation
      // for being able to later trigger the callback.
@@ -300,9 +385,13 @@
      core::trust::mir::Agent agent
+     {
--        connection_vtable,
--        prompt_provider_helper,
--        core::trust::mir::Agent::translator_only_accepting_exit_status_success()
++        core::trust::mir::Agent::Configuration
++        {
++            connection_vtable,
++            prompt_provider_helper,
++            core::trust::mir::Agent::translator_only_accepting_exit_status_success(),
++            app_name_resolver
++        }
      };
      std::thread asynchronously_stop_the_prompting_session
@@ -368,6 +457,8 @@
  #include <core/trust/mir/config.h>
  #include <core/trust/mir/prompt_main.h>
++#include <xdg.h>
++
  namespace
+ {
  std::map<std::string, std::string> a_copy_of_the_env()
@@ -383,15 +474,25 @@
  std::string mir_socket()
+ {
      // We either take the XDG_RUNTIME_DIR or fall back to /tmp if XDG_RUNTIME_DIR is not set.
--    std::string dir = core::posix::this_process::env::get("XDG_RUNTIME_DIR", "/tmp");
--    return dir + "/mir_socket";
++    try
++    {
++        return xdg::runtime().dir().string() + "/mir_socket";
++    } catch(...)
++    {
++        return "/tmp/mir_socket";
++    }
+ }
  std::string trusted_mir_socket()
+ {
      // We either take the XDG_RUNTIME_DIR or fall back to /tmp if XDG_RUNTIME_DIR is not set.
--    std::string dir = core::posix::this_process::env::get("XDG_RUNTIME_DIR", "/tmp");
--    return dir + "/mir_socket_trusted";
++    try
++    {
++        return xdg::runtime().dir().string() + "/mir_socket_trusted";
++    } catch(...)
++    {
++        return "/tmp/mir_socket_trusted";
++    }
+ }
+ }
 === added directory 'tests/share'
 === added directory 'tests/share/applications'
 === added file 'tests/share/applications/valid.pkg_app_0.0.0.desktop'
 --- tests/share/applications/valid.pkg_app_0.0.0.desktop	1970-01-01 00:00:00 +0000
 +++ tests/share/applications/valid.pkg_app_0.0.0.desktop	2015-11-15 21:10:18 +0000
@@ -0,0 +1,55 @@
++[Desktop Entry]
++Type=Application
++Name=Camera
++Name[am]=ካሜራ
++Name[ar]=الكاميرا
++Name[ast]=Cámara
++Name[az]=Kamera
++Name[bg]=Камера
++Name[br]=Kamera
++Name[bs]=Kamera
++Name[ca]=Càmera
++Name[ca@valencia]=Càmera
++Name[cs]=Fotoaparát
++Name[cy]=Camera
++Name[da]=Kamera
++Name[de]=Kamera
++Name[el]=Κάμερα
++Name[en_AU]=Camera
++Name[en_GB]=Camera
++Name[es]=Cámara
++Name[eu]=Kamera
++Name[fa]=دوربین
++Name[fi]=Kamera
++Name[fr]=Appareil photo
++Name[gd]=Camara
++Name[gl]=Cámara
++Name[he]=מצלמה
++Name[hi]=कैमरा
++Name[hr]=Fotoaparat
++Name[hu]=Kamera
++Name[hy]=Կամերա
++Name[is]=Myndavél
++Name[it]=Fotocamera
++Name[ja]=カメラ
++Name[km]=ម៉ាស៊ីន<U+200B>ថ<U+200B>ត
++Name[ko]=카메라
++Name[lo]=ກ້ອງ
++Name[lv]=Fotokamera
++Name[ml]=ക്യാമറ
++Name[ms]=Kamera
++Name[my]=ကင<U+103A>မရာ
++Name[nb]=Kamera
++Name[nl]=Camera
++Name[pa]=ਕੈਮਰਾ
++Name[pl]=Aparat
++Name[pt]=Câmara
++Name[pt_BR]=Câmera
++Name[ro]=Aparat foto
++Name[ru]=Камера
++Name[sl]=Fotoaparat
++Name[sr]=Камера
++Name[sv]=Kamera
++Name[ta]=புகைப்பட கருவி
++Name[te]=కెమేరా
++Name[tr]=Fotoğraf Makinesi
 === modified file 'tests/test_data.h.in'
 --- tests/test_data.h.in	2014-08-12 14:25:41 +0000
 +++ tests/test_data.h.in	2015-11-15 21:10:18 +0000
@@ -25,6 +25,11 @@
+ {
  namespace testing
+ {
++static constexpr const char* current_source_dir
++{
++    "@CMAKE_CURRENT_SOURCE_DIR@"
++};
++
  static constexpr const char* trust_prompt_executable_in_build_dir
+ {
      "@CMAKE_BINARY_DIR@/src/trust-prompt"