Account plugins should be made confinable by apparmor

The attached branch is a WIP with the changes on the Online Accounts part.

I added the apparmor-easyprof-ubuntu project to the bug because I think we'll need some changes there:

- There should be a way to specify an apparmor policy file for an account plugin, in the manifest file. This policy will typically contain the "accounts" policy, and then often also the "networking" and "webview" policies; but I'd rather let the developer explicitly declare all of the needed policies.

- The account plugin should have access to a unix socket: /run/user/<user-id>/online-accounts-ui/ui-<random-number>
  This is probably not really necessary with the current WIP code, since we call aa_change_profile() after connecting to that socket; we'll understand this better when we can test the whole thing.

- The account plugin should be able to send method calls on this D-Bus service (on the session bus):
  service=com.google.code.AccountsSSO.Accounts.Manager
  path=/com/google/code/AccountsSSO/Accounts/Manager
  interface=com.google.code.AccountsSSO.Accounts.Manager
  (the service then will itself check the apparmor label of the peer and decide whether to process the request or not)

I'll update the bug with comments as I find new apparmor rules being required.
So, this is also required:

  owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw,

I can create an evernote account with these rules:

  owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw,
  owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
  dbus (send)
       bus=session
       path="/com/google/code/AccountsSSO/Accounts/Manager"
       interface="com.google.code.AccountsSSO.Accounts.Manager"
       member="store"
       peer=(name=com.google.code.AccountsSSO.Accounts.Manager,label=unconfined),

Latest version:

  owner /{,var/}run/user/*/online-accounts-ui/ui-*-@{APP_PKGNAME}_@{APP_APPNAME} rw,
  owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw,
  owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,
  dbus (send)
       bus=session
       path="/com/google/code/AccountsSSO/Accounts/Manager"
       interface="com.google.code.AccountsSSO.Accounts.Manager"
       member="store"
       peer=(name=com.google.code.AccountsSSO.Accounts.Manager,label=unconfined),

This bug was fixed in the package ubuntu-system-settings-online-accounts - 0.6+15.04.20150116-0ubuntu1

---------------
ubuntu-system-settings-online-accounts (0.6+15.04.20150116-0ubuntu1) vivid; urgency=medium

  [ Alberto Mardegan ]
  * New upstream release
    - Make sure app items are not overlaid on top of each other (LP: #1384314)
    - Remove snap decision fallback
    - Make account plugins confinable (LP: #1219644)

  [ Ubuntu daily release ]
  * New rebuild forced
 -- Ubuntu daily release <email address hidden> Fri, 16 Jan 2015 17:18:06 +0000

The approach to take is to create an 'ubuntu-account-plugin' template. Mardy, do you have an example click I could use to test exactly what is needed?

Jamie, I've been using this: http://mardy.it/archivos/com.ubuntu.reminders_0.5.latest_armhf.click

I started playing with this and have a few observations:
* the account plugin is trying to access /proc/<pid>/attr/current - should this be explicitly denied to silence the denial?
* the account plugin is trying to create /home/phablet/.cache/online-accounts-ui/ -- this should be created on the account plugin's behalf
* this account plugin seems to want the audio policy group. this isn't a problem, it just wasn't mentioned before

Also, something isn't honoring and/or setting TMPDIR, since I'm seeing denials like this:
Feb 3 21:32:09 ubuntu-phablet kernel: [ 5292.570730] type=1400 audit(1422999129.043:411): apparmor="DENIED" operation="mknod" profile="com.ubuntu.reminders_evernote-account-plugin_0.5.latest" name="/tmp/etilqs_Ka88o35o73fdKe8" pid=9590 comm="BrowserBlocking" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

Using this for the evernote-account-plugin.apparmor:
{
    "template": "ubuntu-account-plugin",
    "policy_groups": [
        "accounts",
        "audio",
        "networking",
        "webview"
    ],
    "policy_version": 1.2
}

with apparmor-easyprof-ubuntu 1.3.4 (pending upload), I can successfully create an account under confinement. The reminders app itself is unable to use the account (I can start it, but it never leaves the splash screen). There are some denials:
...
Feb 3 21:37:50 ubuntu-phablet kernel: [ 5634.484968] type=1400 audit(1422999470.948:429): apparmor="DENIED" operation="mknod" profile="com.ubuntu.reminders_evernote-account-plugin_0.5.latest" name="/tmp/etilqs_R5PWXVRkWjQcVBC" pid=10898 comm="BrowserBlocking" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.3.4

---------------
apparmor-easyprof-ubuntu (1.3.4) vivid; urgency=medium

  [ Alberto Mardegan ]
  * ubuntu/accounts: explictly deny access to the p2p socket. This will now be
    available only to unconfined apps to support a trusted socket for
    privileged processes (LP: #1415492)

  [ Jamie Strandboge ]
  * add ubuntu/1.2/ubuntu-account-plugin template and add to 1.3 policy
    (LP: #1219644)
  * adjust expected_templates_12 in autopkgtests to have ubuntu-account-plugin
  * ubuntu/webview: allow /sys/devices/system/cpu/*/cpufreq/cpuinfo_max_freq
    readonly access
 -- Jamie Strandboge <email address hidden> Tue, 03 Feb 2015 16:24:15 -0600

On 02/03/2015 11:28 PM, Jamie Strandboge wrote:
> I started playing with this and have a few observations:
> * the account plugin is trying to access /proc/<pid>/attr/current - should this be explicitly denied to silence the denial?

No, I think that this happens because the account plugin code is calling
aa_gettaskcon(), but when creating the account the PID should actually
be the one from the account plugin itself, since it's the one making the
request.
I'll modify the plugin not to call aa_gettaskcon() if the PID to check
is == getpid().

> * the account plugin is trying to create /home/phablet/.cache/online-accounts-ui/ -- this should be created on the account plugin's behalf

Indeed, I'll make sure that this is created before the plugin is executed.

> * this account plugin seems to want the audio policy group. this isn't a problem, it just wasn't mentioned before

I saw some weird denials, but it was working anyway. Good that you found
what it was :-)

About the last denial,

  Feb 3 21:32:09 ubuntu-phablet kernel: [ 5292.570730] type=1400
audit(1422999129.043:411): apparmor="DENIED" operation="mknod"
profile="com.ubuntu.reminders_evernote-account-plugin_0.5.latest"
name="/tmp/etilqs_Ka88o35o73fdKe8" pid=9590 comm="BrowserBlocking"
requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

I have no idea what this is; I guess it might be coming from oxide?

Reopening for ubuntu-system-settings-online-accounts, since we have still some work to do.

Regarding the /tmp access-- I'm guessing that TMPDIR is not being set by the process launching the confined plugin. It can be set to one of the writable directories in the 1.3.4 policy; I suggest /run/user/$USER/online-accounts-ui/@{APP_PKGNAME}_@{APP_APPNAME}/ since it is in /run and will be cleaned on reboot. If you pick this, I'll adjust the policy.

This bug was fixed in the package ubuntu-system-settings-online-accounts - 0.6+15.04.20150319-0ubuntu1

---------------
ubuntu-system-settings-online-accounts (0.6+15.04.20150319-0ubuntu1) vivid; urgency=medium

  [ Alberto Mardegan ]
  * Merge from upstream
    - Add account data as search keywords (LP: #1373279)
    - Delete accounts when their plugin is removed (LP: #1413542)
    - More fixes for plugin confinement (LP: #1219644)
    - Fail initialization if trust session cannot be setup (LP: #1420847)

  [ CI Train Bot ]
  * Resync trunk
  * Resync trunk
  * Resync trunk
  * Resync trunk
 -- CI Train Bot <email address hidden> Thu, 19 Mar 2015 10:52:45 +0000

>> * the account plugin is trying to create /home/phablet/.cache/online-accounts-ui/ -- this should be created on the account plugin's behalf

> Indeed, I'll make sure that this is created before the plugin is executed.

This is still not fixed:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473] type=1400 audit(1435183375.362:404): apparmor="DENIED" operation="mkdir" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/home/phablet/.cache/QML/Apps/online-accounts-ui/" pid=15145 comm="QQmlThread" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

Also, why is it trying to create /home/phablet/.cache/QML/Apps/online-accounts-ui/? We agreed it should be using @{HOME}/.cache/online-accounts-ui/ which is what the apparmor policy allows (ie, QML/Apps is inserted in the path and this isn't allowed by the profile).

Also, if I allow this access in the profile, then the next denial is:
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400 audit(1435183920.324:495): apparmor="DENIED" operation="mknod" profile="com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0" name="/home/phablet/.cache/QML/Apps/online-accounts-ui/ea1df0af2467507eb3888f68100da073" pid=17998 comm="QQmlThread" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

The rules we agreed we would allow for this is:
  owner /{,var/}run/user/*/online-accounts-ui/ui-*-@{APP_PKGNAME}_@{APP_APPNAME} rw,
  owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw,
  owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/** mrwkl,

This is on:
$ system-image-cli -i
current build number: 169
device name: mako
channel: ubuntu-touch/rc-proposed/ubuntu
last update: 2015-06-21 17:39:00
version version: 169
version ubuntu: 20150621
version device: 20150210
version custom: 20150621

These latest issues are now being tracked in bug #1468792.

https://developer.ubuntu.com/en/start/platform/guides/online-accounts-developer-guide/ and https://developer.ubuntu.com/en/start/platform/guides/app-confinement/ probably need an update now.