belohoub
commented
2 years ago Application is unconfined, as common user should be able to backup any data from the phone.
The application source code can be reviewed on GitHub.
Closed belohoub closed 2 years ago
belohoub
commented
2 years ago Application is unconfined, as common user should be able to backup any data from the phone.
The application source code can be reviewed on GitHub.
Danfro
commented
2 years ago Reason 1: Confined apps only have read and write access to their own app folders. To allow users to sync other folders too, the app needs to run unconfined to gain read/write access. Reason 2: The app provides a sync daemon. Those daemons can not be run under confinement currently.
belohoub
commented
2 years ago Thank you!
I found, that reason 2 is actually narrower: daemon is actually started by upstart (background running should be OK), but DBUS interface would be blocked by any predefined apparmor policy.
Currently, we could only: 1) try to add custom apparmor policy exclusively for UBsync to next OTAs, or 2) try to discuss with core team to add "configurable" apparmor for DBUS interfaces - I only saw files with statically declared names/paths; the app currently uses "org.owncloudsyncd.Controller" interface, or 3) change the daemon/app communication mechanism to e.g. plain sockt - this could be coverable by current apparmor policies.
I'm not very familiar with apparmor, so the above could be (partially) wrong ...
belohoub
commented
2 years ago The README as been updated appropriatelly, openstore-io descriptio will be updated manually.
In open-store app description, the reasoning should be provided at least for unconfined