Building native apps

Jamie Strandboge jamie at canonical.com
Wed Feb 18 18:32:13 UTC 2015 

On 02/18/2015 08:00 AM, Gábor Paller wrote:
> "There is no need though; root doesn't mean "danger" as it used to ;-)"
> 
> Well, if you assume that "root" always executes apparmored applications then you
> are right.
> But currently the Way Of Working (TM) is that the operator obtains a root shell
> and executes all sorts of apps. Any mistake is fatal.
> 
> You can consider the example of Android. There the zygote process spawns
> application processes which are subject to Android's permission system so they
> are boxed by the permissions they are assigned to - similarly to apparmor.
> Still, the zygote process does not run with root privileges. If it does (in case
> of rooted phones) then you open up the device to endless list of attacks.
> 
The plan is to have a launcher that will be used both by both the boot process
(eg systemd) and when invoking the apps via the shell so that the app will run
in its sandbox. The CLI experience and implementation is being defined and it
will be documented as the proper way to launch apps and it will be easy and
intuitive to use. We should support dropping privileges and/or running as
another user (as I said elsewhere). If you use an undocumented method to launch
the app directly out of /apps as root, the sandbox won't be in place, but an
admin running commands in this manner is expected to know the consequences.

In the farther out future, we may be able to do something when exec()'ing out of
/apps (we can do this with apparmor now since it is an LSM, but there isn't a
clean way to for example setup a seccomp filter or net cgroup from within the
kernel that is triggered off of the exec syscall()).

> Regards,
> Gabor
> 
> On Tue, Feb 17, 2015 at 10:16 PM, Sergio Schvezov <sergio.schvezov at canonical.com
> <mailto:sergio.schvezov at canonical.com>> wrote:
> 
>     On martes 17 de febrero de 2015 18h'23:32 BRST, Gábor Paller wrote:
> 
>         Thanks, that was it, the version number had to be increased.
>         Now the next thing would be to run as non-root but as far as I
>         understand it is a work in progress.
> 
> 
>     There is no need though; root doesn't mean "danger" as it used to ;-)
> 
> 
> 
> 


-- 
Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snappy-app-devel/attachments/20150218/2a9a4cd2/attachment.pgp>

More information about the snappy-app-devel mailing list