In harmattan, if you want to access certain resources (E.G. Tracker) you need to ask for permission to the Security FW. It is not as bad as it sounds. You just need to add a file in your package explaining what “tokens” do you need. Then depending on where your package comes from and some other ingredients, the security FW decides if your application is worthy of such a privilege.
Today I was packaging a very first version of Mussorgsky in QML which requires the “TrackerReadAccess” token (to query Tracker via dbus). So far I have been working in the command line tool where a aegis-su -r TrackerReadAccess python mussorgsky.py was enough. But how to do the same when the application is installed?
- Create a
$PACKAGE_NAME.aegisfile under yourdebian/directory. There you need to declare what tokens you want for what binary. Example: in mussorgsky.aegis I request “TrackerReadAccess” for “/usr/lib/mussorgsky/mussorgsky-qml.py”, which is the executable that starts my program. - Put the aegis file in the package. Using CDBS is almost the same as in C++, without the include of autotools.mk:
# Add this to the debian/rules file
PACKAGE_TARGETS := $(foreach pkg,$(DEB_ALL_PACKAGES),binary/$(pkg))
$(PACKAGE_TARGETS)::
[ ! -f debian/$(notdir $@).aegis ] || aegis-deb-add -control \
debian/$(notdir $@)/DEBIAN/control .. debian/$(notdir $@).aegis=_aegis - Make your package build-depend on
aegis-builder (>=1.4)
Then you build your package. It should install nicely and your application run without problems on the device. Still, a couple of remarks:
- The token must go to a executable script (with
#!/usr/bin/pythonon its first line).python myscript.pywill not work. The path is absolute. - After installing the package, do NOT modify the installed files if they request a token. Security FW will discover an unexpected change in the file and lock the device (ops! reflash). Imported files and other resources can be modified.
Happy hacking.
Nice post! Have you tried pyside-assistant? It does the packaging stuff, easing the process. Hope it helps.
http://wiki.meego.com/Python/pyside-assistant
@Luciano I used a project created with pyside-assistant as inspiration to update my old-fashioned debian/ directory. Great stuff for starting a new project (we pythoners are outcasts from the QtCreator world
)
Lock the device, requiring a reflash? Seriously?
Yep, modifying a file under the security FW umbrella locks the device on a screen “suggesting” a reflash.
It is a nasty surprise first time it happens, but in practical terms is not so annoying: most of the time I run my application directly from the source code in $HOME with aegis-su, so I can modify/try without rebuilding the package.
>_<
Does it detects configuration files changes?
What if I needed to tweak some python app? I've done this a couple of times on my N900. And on N950 I will have to copy whole app to the $HOME?
This “integrity check” only affects programs or libraries that request a token to the security FW. Configuration files follow the usual user/group protection in linux. Nothing changes for that.
If the python app doesn’t request any special permission from security FW, you can tweak it as before. If the script makes something sensitive (that requires security supervision), then seems reasonable to prevent uncontrolled changes on it.
I agree that it’s reasonable to prevent changes — but bricking the entire device, instead of just forbidding that script from running, seems excessive to me.
It does not require reflash here. It works as designed, prevents the operation, that is. Which image do you use ?
Can you use Harmattan Security Framework together with a Python application in a way to store/retrieve API keys on the device in a secure manner? The idea would be that only the application could view and use the API key, and it would not be visible to user/root. If changes to the python scripts does cause a device lockup, then users could not intercept the key. Any thoughts on how to implement such a transaction? Thank you.