[apparmor] UDS

[John Johansen]

On 10/27/2012 04:26 AM, Christian Boltz wrote:
> Hello,
> 
> I just had a short look at the UDS schedule - and basically it looks 
> like the whole security track is about AppArmor ;-)
> 
yeah it is getting interesting

> I'm not sure if I have time to listen to the livestreams, therefore let 
> me send some questions and notes in advance:
> 
> Most important question: will there be audio recordings available for 
> later download? (IIRC this didn't happen in the last years.)
> 
your right it didn't happen last time and I was surprised as we had it
the time before. I poke and see what I can find out

> Technical: please hand around the microphone (instead of just sitting 
> around it) - otherwise the livestream is not lough enough and, when made 
> louder, comes with lots of background noise.
> 
this will depend on how the room is setup, but we will keep it in mind
> 
> About the "Application Confinement (Content Access Helper)" session:
> At the risk of proposing something that you already came up with: ;-)
> 
> I'd propose to use a standalone binary that can be used by any 
> application (Px'ed or Ux'ed) for file - open and file - save as. 
> This binary should then copy the file to a temporary location (or use a 
> socket?) and hand it over to the calling application. This solution 
> would cover the most interesting[tm] usecases like confining web 
> browsers or acroread.
> 
There have been several ideas kicked around and I am sure there will be
more. But yes your idea is similar to ideas that have been kicked around
the file dialog runs externs to the application sand box and either
  - copies/links/mounts the file in
  - updates the profile
  - delegates object access in

> Applications offering file - save (as in: save again, with the same 
> name) might be a bit trickier, and applications allowing to specify a 
> file to open at the commandline ("gimp foo.xcf") as well.
> The problem is to make sure the user is aware that those files will be 
> opened/written - OTOH displaying a confirmation dialog each time would 
> work, but it would also be annoying.
> 
This is something we want to avoid. Prompting the average user just
doesn't work.

> There seems to be a xdg-file-dialog according to google, but I can't 
> find it in the openSUSE repos. Nevertheless, it might be a good place 
> where this feature could be implemented.
> 
> Oh, and if you implement this, please push it upstream for all 
> applications - I'd love to have this feature in openSUSE too ;-)
> 
absolutely, Ubuntu only has a small delta and we want to reduce it.

> 
> And a final question that is somewhat unrelated: I remember that using 
> etckeeper was discussed at the last(?) UDS. Did this happen in the 
> meantime? If yes, how good does it work?
> 
nothing has happened with it afaik, probably should add it to the
meeting agenda for next week