Merge lp:~ssweeny/bluez/snappy-interface into lp:~bluetooth/bluez/snap-core-rolling
- snappy-interface
- Merge into snap-core-rolling
Proposed by
Scott Sweeny
| Status: | Merged |
|---|---|
| Approved by: | Simon Fels |
| Approved revision: | 48 |
| Merged at revision: | 41 |
| Proposed branch: | lp:~ssweeny/bluez/snappy-interface |
| Merge into: | lp:~bluetooth/bluez/snap-core-rolling |
| Prerequisite: | lp:~morphis/bluez/fix-snapcraft-source |
| Diff against target: |
1457 lines (+13/-1384) 6 files modified
bluez.apparmor (+0/-222) bluez.seccomp (+0/-457) obex.apparmor (+0/-225) obex.seccomp (+0/-457) parts/plugins/x-autotools.py (+3/-3) snapcraft.yaml (+10/-20) |
| To merge this branch: | bzr merge lp:~ssweeny/bluez/snappy-interface |
| Related bugs: |
| Reviewer | Review Type | Date Requested | Status |
|---|---|---|---|
| Simon Fels | Approve | ||
| Tony Espy | Pending | ||
| Bluetooth | Pending | ||
|
Review via email:
|
|||
Commit message
Use the new bluez interface in ubuntu-core
Description of the change
This branch contains the updated snapcraft config to use the new bluez interface in ubuntu-core.
Tested against a fixes branch[1] that will hopefully soon be merged into ubuntu-core.
To post a comment you must log in.
- 47. By Scott Sweeny
-
Actually remove unused policy files
- 48. By Scott Sweeny
-
Rename slot/plug to service/client respectively
Revision history for this message
| Scott Sweeny (ssweeny) wrote : | # |
> Left one naming related comment inline but otherwise LGTM
Well-spotted. Done.
Should this naming scheme be part of our guidelines doc?
Revision history for this message
| Simon Fels (morphis) wrote : | # |
@Scott: That would be awesome if you can add a chapter for a interface naming convention.
Revision history for this message
| Simon Fels (morphis) : | # |
review:
Approve
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
| 1 | === removed file 'bluez.apparmor' | |||
| 2 | --- bluez.apparmor 2016-02-01 18:56:49 +0000 | |||
| 3 | +++ bluez.apparmor 1970-01-01 00:00:00 +0000 | |||
| 4 | @@ -1,222 +0,0 @@ | |||
| 5 | 1 | # | ||
| 6 | 2 | # AppArmor confinement for bluez's bluetoothd | ||
| 7 | 3 | # | ||
| 8 | 4 | |||
| 9 | 5 | #include <tunables/global> | ||
| 10 | 6 | |||
| 11 | 7 | # Specified profile variables | ||
| 12 | 8 | ###VAR### | ||
| 13 | 9 | |||
| 14 | 10 | ###PROFILEATTACH### (attach_disconnected) { | ||
| 15 | 11 | #include <abstractions/base> | ||
| 16 | 12 | #include <abstractions/openssl> | ||
| 17 | 13 | |||
| 18 | 14 | # Explicitly deny ptrace for now since it can be abused to break out of the | ||
| 19 | 15 | # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 | ||
| 20 | 16 | audit deny ptrace (trace), | ||
| 21 | 17 | |||
| 22 | 18 | # Explicitly deny mount, remount and umount | ||
| 23 | 19 | audit deny mount, | ||
| 24 | 20 | audit deny remount, | ||
| 25 | 21 | audit deny umount, | ||
| 26 | 22 | |||
| 27 | 23 | # Read-only for the install directory | ||
| 28 | 24 | @{CLICK_DIR}/@{APP_PKGNAME}/ r, | ||
| 29 | 25 | @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r, | ||
| 30 | 26 | @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix, | ||
| 31 | 27 | |||
| 32 | 28 | # Read-only home area for other versions | ||
| 33 | 29 | owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/ r, | ||
| 34 | 30 | owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/ r, | ||
| 35 | 31 | owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** mrkix, | ||
| 36 | 32 | |||
| 37 | 33 | # Writable home area for this version. | ||
| 38 | 34 | owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/ w, | ||
| 39 | 35 | owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** wl, | ||
| 40 | 36 | |||
| 41 | 37 | # Read-only system area for other versions | ||
| 42 | 38 | /var/lib/snaps/@{APP_PKGNAME}/ r, | ||
| 43 | 39 | /var/lib/snaps/@{APP_PKGNAME}/** mrkix, | ||
| 44 | 40 | |||
| 45 | 41 | # Writable system area only for this version | ||
| 46 | 42 | /var/lib/snaps/@{APP_PKGNAME}/@{APP_VERSION}/ w, | ||
| 47 | 43 | /var/lib/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** wl, | ||
| 48 | 44 | |||
| 49 | 45 | # The ubuntu-core-launcher creates an app-specific private restricted /tmp | ||
| 50 | 46 | # and will fail to launch the app if something goes wrong. As such, we can | ||
| 51 | 47 | # simply allow full access to /tmp. | ||
| 52 | 48 | /tmp/ r, | ||
| 53 | 49 | /tmp/** mrwlkix, | ||
| 54 | 50 | |||
| 55 | 51 | # Miscellaneous accesses | ||
| 56 | 52 | /etc/mime.types r, | ||
| 57 | 53 | @{PROC}/ r, | ||
| 58 | 54 | /etc/{,writable/}hostname r, | ||
| 59 | 55 | /etc/{,writable/}localtime r, | ||
| 60 | 56 | /etc/{,writable/}timezone r, | ||
| 61 | 57 | @{PROC}/sys/kernel/hostname r, | ||
| 62 | 58 | @{PROC}/sys/kernel/osrelease r, | ||
| 63 | 59 | @{PROC}/sys/fs/file-max r, | ||
| 64 | 60 | @{PROC}/sys/kernel/pid_max r, | ||
| 65 | 61 | # this leaks interface names and stats, but not in a way that is traceable | ||
| 66 | 62 | # to the user/device | ||
| 67 | 63 | @{PROC}/net/dev r, | ||
| 68 | 64 | |||
| 69 | 65 | # | ||
| 70 | 66 | # Various accesses that may or may not be required for your framework. | ||
| 71 | 67 | # Adjust as necessary for your services. | ||
| 72 | 68 | # | ||
| 73 | 69 | |||
| 74 | 70 | # Shell (do not usually need abstractions/bash) | ||
| 75 | 71 | #include <abstractions/consoles> | ||
| 76 | 72 | /bin/bash ixr, | ||
| 77 | 73 | /bin/dash ixr, | ||
| 78 | 74 | /etc/bash.bashrc r, | ||
| 79 | 75 | /usr/share/terminfo/** r, | ||
| 80 | 76 | /etc/inputrc r, | ||
| 81 | 77 | deny @{HOME}/.inputrc r, | ||
| 82 | 78 | # Common utilities for shell scripts | ||
| 83 | 79 | /{,usr/}bin/{,g,m}awk ixr, | ||
| 84 | 80 | /{,usr/}bin/basename ixr, | ||
| 85 | 81 | /{,usr/}bin/bunzip2 ixr, | ||
| 86 | 82 | /{,usr/}bin/bzcat ixr, | ||
| 87 | 83 | /{,usr/}bin/bzdiff ixr, | ||
| 88 | 84 | /{,usr/}bin/bzgrep ixr, | ||
| 89 | 85 | /{,usr/}bin/bzip2 ixr, | ||
| 90 | 86 | /{,usr/}bin/cat ixr, | ||
| 91 | 87 | /{,usr/}bin/chmod ixr, | ||
| 92 | 88 | /{,usr/}bin/cmp ixr, | ||
| 93 | 89 | /{,usr/}bin/cp ixr, | ||
| 94 | 90 | /{,usr/}bin/cpio ixr, | ||
| 95 | 91 | /{,usr/}bin/cut ixr, | ||
| 96 | 92 | /{,usr/}bin/date ixr, | ||
| 97 | 93 | /{,usr/}bin/dd ixr, | ||
| 98 | 94 | /{,usr/}bin/diff{,3} ixr, | ||
| 99 | 95 | /{,usr/}bin/dir ixr, | ||
| 100 | 96 | /{,usr/}bin/dirname ixr, | ||
| 101 | 97 | /{,usr/}bin/echo ixr, | ||
| 102 | 98 | /{,usr/}bin/{,e,f,r}grep ixr, | ||
| 103 | 99 | /{,usr/}bin/env ixr, | ||
| 104 | 100 | /{,usr/}bin/expr ixr, | ||
| 105 | 101 | /{,usr/}bin/false ixr, | ||
| 106 | 102 | /{,usr/}bin/find ixr, | ||
| 107 | 103 | /{,usr/}bin/fmt ixr, | ||
| 108 | 104 | /{,usr/}bin/getopt ixr, | ||
| 109 | 105 | /{,usr/}bin/head ixr, | ||
| 110 | 106 | /{,usr/}bin/hostname ixr, | ||
| 111 | 107 | /{,usr/}bin/id ixr, | ||
| 112 | 108 | /{,usr/}bin/igawk ixr, | ||
| 113 | 109 | /{,usr/}bin/kill ixr, | ||
| 114 | 110 | /{,usr/}bin/ldd ixr, | ||
| 115 | 111 | /{,usr/}bin/ln ixr, | ||
| 116 | 112 | /{,usr/}bin/line ixr, | ||
| 117 | 113 | /{,usr/}bin/link ixr, | ||
| 118 | 114 | /{,usr/}bin/logger ixr, | ||
| 119 | 115 | /{,usr/}bin/ls ixr, | ||
| 120 | 116 | /{,usr/}bin/md5sum ixr, | ||
| 121 | 117 | /{,usr/}bin/mkdir ixr, | ||
| 122 | 118 | /{,usr/}bin/mktemp ixr, | ||
| 123 | 119 | /{,usr/}bin/mv ixr, | ||
| 124 | 120 | /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial | ||
| 125 | 121 | /{,usr/}bin/pgrep ixr, | ||
| 126 | 122 | /{,usr/}bin/printenv ixr, | ||
| 127 | 123 | /{,usr/}bin/printf ixr, | ||
| 128 | 124 | /{,usr/}bin/ps ixr, | ||
| 129 | 125 | /{,usr/}bin/pwd ixr, | ||
| 130 | 126 | /{,usr/}bin/readlink ixr, | ||
| 131 | 127 | /{,usr/}bin/realpath ixr, | ||
| 132 | 128 | /{,usr/}bin/rev ixr, | ||
| 133 | 129 | /{,usr/}bin/rm ixr, | ||
| 134 | 130 | /{,usr/}bin/rmdir ixr, | ||
| 135 | 131 | /{,usr/}bin/sed ixr, | ||
| 136 | 132 | /{,usr/}bin/seq ixr, | ||
| 137 | 133 | /{,usr/}bin/sleep ixr, | ||
| 138 | 134 | /{,usr/}bin/sort ixr, | ||
| 139 | 135 | /{,usr/}bin/stat ixr, | ||
| 140 | 136 | /{,usr/}bin/tac ixr, | ||
| 141 | 137 | /{,usr/}bin/tail ixr, | ||
| 142 | 138 | /{,usr/}bin/tar ixr, | ||
| 143 | 139 | /{,usr/}bin/tee ixr, | ||
| 144 | 140 | /{,usr/}bin/test ixr, | ||
| 145 | 141 | /{,usr/}bin/tempfile ixr, | ||
| 146 | 142 | /{,usr/}bin/touch ixr, | ||
| 147 | 143 | /{,usr/}bin/tr ixr, | ||
| 148 | 144 | /{,usr/}bin/true ixr, | ||
| 149 | 145 | /{,usr/}bin/uname ixr, | ||
| 150 | 146 | /{,usr/}bin/uniq ixr, | ||
| 151 | 147 | /{,usr/}bin/unlink ixr, | ||
| 152 | 148 | /{,usr/}bin/unxz ixr, | ||
| 153 | 149 | /{,usr/}bin/unzip ixr, | ||
| 154 | 150 | /{,usr/}bin/vdir ixr, | ||
| 155 | 151 | /{,usr/}bin/wc ixr, | ||
| 156 | 152 | /{,usr/}bin/which ixr, | ||
| 157 | 153 | /{,usr/}bin/xargs ixr, | ||
| 158 | 154 | /{,usr/}bin/xz ixr, | ||
| 159 | 155 | /{,usr/}bin/yes ixr, | ||
| 160 | 156 | /{,usr/}bin/zcat ixr, | ||
| 161 | 157 | /{,usr/}bin/z{,e,f}grep ixr, | ||
| 162 | 158 | /{,usr/}bin/zip ixr, | ||
| 163 | 159 | /{,usr/}bin/zipgrep ixr, | ||
| 164 | 160 | /{,usr/}bin/uptime ixr, | ||
| 165 | 161 | @{PROC}/uptime r, | ||
| 166 | 162 | @{PROC}/loadavg r, | ||
| 167 | 163 | |||
| 168 | 164 | # | ||
| 169 | 165 | # Framework service/binary specific rules below here | ||
| 170 | 166 | # | ||
| 171 | 167 | network bluetooth, | ||
| 172 | 168 | |||
| 173 | 169 | capability net_admin, | ||
| 174 | 170 | capability net_bind_service, | ||
| 175 | 171 | |||
| 176 | 172 | # File accesses | ||
| 177 | 173 | /sys/bus/usb/drivers/btusb/ r, | ||
| 178 | 174 | /sys/bus/usb/drivers/btusb/** r, | ||
| 179 | 175 | /sys/class/bluetooth/ r, | ||
| 180 | 176 | /sys/devices/**/bluetooth/ rw, | ||
| 181 | 177 | /sys/devices/**/bluetooth/** rw, | ||
| 182 | 178 | /sys/devices/**/id/chassis_type r, | ||
| 183 | 179 | |||
| 184 | 180 | # TODO: use snappy hardware assignment for this once LP: #1498917 is fixed | ||
| 185 | 181 | /dev/rfkill rw, | ||
| 186 | 182 | |||
| 187 | 183 | # DBus accesses | ||
| 188 | 184 | #include <abstractions/dbus-strict> | ||
| 189 | 185 | dbus (send) | ||
| 190 | 186 | bus=system | ||
| 191 | 187 | path=/org/freedesktop/DBus | ||
| 192 | 188 | interface=org.freedesktop.DBus | ||
| 193 | 189 | member={Request,Release}Name | ||
| 194 | 190 | peer=(name=org.freedesktop.DBus), | ||
| 195 | 191 | |||
| 196 | 192 | dbus (send) | ||
| 197 | 193 | bus=system | ||
| 198 | 194 | path=/org/freedesktop/* | ||
| 199 | 195 | interface=org.freedesktop.DBus.Properties | ||
| 200 | 196 | peer=(label=unconfined), | ||
| 201 | 197 | |||
| 202 | 198 | # Allow binding the service to the requested connection name | ||
| 203 | 199 | dbus (bind) | ||
| 204 | 200 | bus=system | ||
| 205 | 201 | name="org.bluez", | ||
| 206 | 202 | |||
| 207 | 203 | # Allow traffic to/from our path and interface with any method | ||
| 208 | 204 | dbus (receive, send) | ||
| 209 | 205 | bus=system | ||
| 210 | 206 | path=/org/bluez{,/**} | ||
| 211 | 207 | interface=org.bluez.*, | ||
| 212 | 208 | |||
| 213 | 209 | # Allow traffic to/from org.freedesktop.DBus for bluez service | ||
| 214 | 210 | dbus (receive, send) | ||
| 215 | 211 | bus=system | ||
| 216 | 212 | path=/ | ||
| 217 | 213 | interface=org.freedesktop.DBus.**, | ||
| 218 | 214 | dbus (receive, send) | ||
| 219 | 215 | bus=system | ||
| 220 | 216 | path=/org/bluez{,/**} | ||
| 221 | 217 | interface=org.freedesktop.DBus.**, | ||
| 222 | 218 | |||
| 223 | 219 | # Allow replacing our dbus policy configuration file until | ||
| 224 | 220 | # snappy has a better way to do this. | ||
| 225 | 221 | /etc/dbus-1/system.d/bluez_* rw, | ||
| 226 | 222 | } | ||
| 227 | 223 | 0 | ||
| 228 | === removed file 'bluez.seccomp' | |||
| 229 | --- bluez.seccomp 2016-01-26 00:25:18 +0000 | |||
| 230 | +++ bluez.seccomp 1970-01-01 00:00:00 +0000 | |||
| 231 | @@ -1,457 +0,0 @@ | |||
| 232 | 1 | # | ||
| 233 | 2 | # Seccomp policy for bluez | ||
| 234 | 3 | # | ||
| 235 | 4 | |||
| 236 | 5 | # Dangerous syscalls that we don't ever want to allow | ||
| 237 | 6 | |||
| 238 | 7 | # kexec | ||
| 239 | 8 | # EXPLICITLY DENY kexec_load | ||
| 240 | 9 | |||
| 241 | 10 | # kernel modules | ||
| 242 | 11 | # EXPLICITLY DENY create_module | ||
| 243 | 12 | # EXPLICITLY DENY init_module | ||
| 244 | 13 | # EXPLICITLY DENY finit_module | ||
| 245 | 14 | # EXPLICITLY DENY delete_module | ||
| 246 | 15 | |||
| 247 | 16 | # these have a history of vulnerabilities, are not widely used, and | ||
| 248 | 17 | # open_by_handle_at has been used to break out of docker containers by brute | ||
| 249 | 18 | # forcing the handle value: http://stealth.openwall.net/xSports/shocker.c | ||
| 250 | 19 | # EXPLICITLY DENY name_to_handle_at | ||
| 251 | 20 | # EXPLICITLY DENY open_by_handle_at | ||
| 252 | 21 | |||
| 253 | 22 | # Explicitly deny ptrace since it can be abused to break out of the seccomp | ||
| 254 | 23 | # sandbox | ||
| 255 | 24 | # EXPLICITLY DENY ptrace | ||
| 256 | 25 | |||
| 257 | 26 | # Explicitly deny capability mknod so apps can't create devices | ||
| 258 | 27 | # EXPLICITLY DENY mknod | ||
| 259 | 28 | # EXPLICITLY DENY mknodat | ||
| 260 | 29 | |||
| 261 | 30 | # Explicitly deny (u)mount so apps can't change mounts in their namespace | ||
| 262 | 31 | # EXPLICITLY DENY mount | ||
| 263 | 32 | # EXPLICITLY DENY umount | ||
| 264 | 33 | # EXPLICITLY DENY umount2 | ||
| 265 | 34 | |||
| 266 | 35 | # Explicitly deny kernel keyring access | ||
| 267 | 36 | # EXPLICITLY DENY add_key | ||
| 268 | 37 | # EXPLICITLY DENY keyctl | ||
| 269 | 38 | # EXPLICITLY DENY request_key | ||
| 270 | 39 | |||
| 271 | 40 | # end dangerous syscalls | ||
| 272 | 41 | |||
| 273 | 42 | access | ||
| 274 | 43 | faccessat | ||
| 275 | 44 | |||
| 276 | 45 | alarm | ||
| 277 | 46 | brk | ||
| 278 | 47 | |||
| 279 | 48 | # ARM private syscalls | ||
| 280 | 49 | breakpoint | ||
| 281 | 50 | cacheflush | ||
| 282 | 51 | set_tls | ||
| 283 | 52 | usr26 | ||
| 284 | 53 | usr32 | ||
| 285 | 54 | |||
| 286 | 55 | capget | ||
| 287 | 56 | |||
| 288 | 57 | chdir | ||
| 289 | 58 | fchdir | ||
| 290 | 59 | |||
| 291 | 60 | # We can't effectively block file perms due to open() with O_CREAT, so allow | ||
| 292 | 61 | # chmod until we have syscall arg filtering (LP: #1446748) | ||
| 293 | 62 | chmod | ||
| 294 | 63 | fchmod | ||
| 295 | 64 | fchmodat | ||
| 296 | 65 | |||
| 297 | 66 | # snappy doesn't currently support per-app UID/GIDs so don't allow chown. To | ||
| 298 | 67 | # properly support chown, we need to have syscall arg filtering (LP: #1446748) | ||
| 299 | 68 | # and per-app UID/GIDs. | ||
| 300 | 69 | #chown | ||
| 301 | 70 | #chown32 | ||
| 302 | 71 | #fchown | ||
| 303 | 72 | #fchown32 | ||
| 304 | 73 | #fchownat | ||
| 305 | 74 | #lchown | ||
| 306 | 75 | #lchown32 | ||
| 307 | 76 | |||
| 308 | 77 | clock_getres | ||
| 309 | 78 | clock_gettime | ||
| 310 | 79 | clock_nanosleep | ||
| 311 | 80 | clone | ||
| 312 | 81 | close | ||
| 313 | 82 | creat | ||
| 314 | 83 | dup | ||
| 315 | 84 | dup2 | ||
| 316 | 85 | dup3 | ||
| 317 | 86 | epoll_create | ||
| 318 | 87 | epoll_create1 | ||
| 319 | 88 | epoll_ctl | ||
| 320 | 89 | epoll_ctl_old | ||
| 321 | 90 | epoll_pwait | ||
| 322 | 91 | epoll_wait | ||
| 323 | 92 | epoll_wait_old | ||
| 324 | 93 | eventfd | ||
| 325 | 94 | eventfd2 | ||
| 326 | 95 | execve | ||
| 327 | 96 | execveat | ||
| 328 | 97 | _exit | ||
| 329 | 98 | exit | ||
| 330 | 99 | exit_group | ||
| 331 | 100 | fallocate | ||
| 332 | 101 | |||
| 333 | 102 | # requires CAP_SYS_ADMIN | ||
| 334 | 103 | #fanotify_init | ||
| 335 | 104 | #fanotify_mark | ||
| 336 | 105 | |||
| 337 | 106 | fcntl | ||
| 338 | 107 | fcntl64 | ||
| 339 | 108 | flock | ||
| 340 | 109 | fork | ||
| 341 | 110 | ftime | ||
| 342 | 111 | futex | ||
| 343 | 112 | get_mempolicy | ||
| 344 | 113 | get_robust_list | ||
| 345 | 114 | get_thread_area | ||
| 346 | 115 | getcpu | ||
| 347 | 116 | getcwd | ||
| 348 | 117 | getdents | ||
| 349 | 118 | getdents64 | ||
| 350 | 119 | getegid | ||
| 351 | 120 | getegid32 | ||
| 352 | 121 | geteuid | ||
| 353 | 122 | geteuid32 | ||
| 354 | 123 | getgid | ||
| 355 | 124 | getgid32 | ||
| 356 | 125 | getgroups | ||
| 357 | 126 | getgroups32 | ||
| 358 | 127 | getitimer | ||
| 359 | 128 | getpgid | ||
| 360 | 129 | getpgrp | ||
| 361 | 130 | getpid | ||
| 362 | 131 | getppid | ||
| 363 | 132 | getpriority | ||
| 364 | 133 | getrandom | ||
| 365 | 134 | getresgid | ||
| 366 | 135 | getresgid32 | ||
| 367 | 136 | getresuid | ||
| 368 | 137 | getresuid32 | ||
| 369 | 138 | |||
| 370 | 139 | getrlimit | ||
| 371 | 140 | ugetrlimit | ||
| 372 | 141 | |||
| 373 | 142 | getrusage | ||
| 374 | 143 | getsid | ||
| 375 | 144 | gettid | ||
| 376 | 145 | gettimeofday | ||
| 377 | 146 | getuid | ||
| 378 | 147 | getuid32 | ||
| 379 | 148 | |||
| 380 | 149 | getxattr | ||
| 381 | 150 | fgetxattr | ||
| 382 | 151 | lgetxattr | ||
| 383 | 152 | |||
| 384 | 153 | inotify_add_watch | ||
| 385 | 154 | inotify_init | ||
| 386 | 155 | inotify_init1 | ||
| 387 | 156 | inotify_rm_watch | ||
| 388 | 157 | |||
| 389 | 158 | # Needed by shell | ||
| 390 | 159 | ioctl | ||
| 391 | 160 | |||
| 392 | 161 | io_cancel | ||
| 393 | 162 | io_destroy | ||
| 394 | 163 | io_getevents | ||
| 395 | 164 | io_setup | ||
| 396 | 165 | io_submit | ||
| 397 | 166 | ioprio_get | ||
| 398 | 167 | # affects other processes, requires CAP_SYS_ADMIN. Potentially allow with | ||
| 399 | 168 | # syscall filtering of (at least) IOPRIO_WHO_USER (LP: #1446748) | ||
| 400 | 169 | #ioprio_set | ||
| 401 | 170 | |||
| 402 | 171 | ipc | ||
| 403 | 172 | kill | ||
| 404 | 173 | link | ||
| 405 | 174 | linkat | ||
| 406 | 175 | |||
| 407 | 176 | listxattr | ||
| 408 | 177 | llistxattr | ||
| 409 | 178 | flistxattr | ||
| 410 | 179 | |||
| 411 | 180 | lseek | ||
| 412 | 181 | llseek | ||
| 413 | 182 | _llseek | ||
| 414 | 183 | lstat | ||
| 415 | 184 | lstat64 | ||
| 416 | 185 | |||
| 417 | 186 | madvise | ||
| 418 | 187 | fadvise64 | ||
| 419 | 188 | fadvise64_64 | ||
| 420 | 189 | arm_fadvise64_64 | ||
| 421 | 190 | |||
| 422 | 191 | mbind | ||
| 423 | 192 | mincore | ||
| 424 | 193 | mkdir | ||
| 425 | 194 | mkdirat | ||
| 426 | 195 | mlock | ||
| 427 | 196 | mlockall | ||
| 428 | 197 | mmap | ||
| 429 | 198 | mmap2 | ||
| 430 | 199 | mprotect | ||
| 431 | 200 | |||
| 432 | 201 | # LP: #1448184 - these aren't currently mediated by AppArmor. Deny for now | ||
| 433 | 202 | #mq_getsetattr | ||
| 434 | 203 | #mq_notify | ||
| 435 | 204 | #mq_open | ||
| 436 | 205 | #mq_timedreceive | ||
| 437 | 206 | #mq_timedsend | ||
| 438 | 207 | #mq_unlink | ||
| 439 | 208 | |||
| 440 | 209 | mremap | ||
| 441 | 210 | msgctl | ||
| 442 | 211 | msgget | ||
| 443 | 212 | msgrcv | ||
| 444 | 213 | msgsnd | ||
| 445 | 214 | msync | ||
| 446 | 215 | munlock | ||
| 447 | 216 | munlockall | ||
| 448 | 217 | munmap | ||
| 449 | 218 | |||
| 450 | 219 | nanosleep | ||
| 451 | 220 | |||
| 452 | 221 | # LP: #1446748 - deny until we have syscall arg filtering. Alternatively, set | ||
| 453 | 222 | # RLIMIT_NICE hard limit for apps, launch them under an appropriate nice value | ||
| 454 | 223 | # and allow this call | ||
| 455 | 224 | #nice | ||
| 456 | 225 | |||
| 457 | 226 | # LP: #1446748 - support syscall arg filtering for mode_t with O_CREAT | ||
| 458 | 227 | open | ||
| 459 | 228 | |||
| 460 | 229 | openat | ||
| 461 | 230 | pause | ||
| 462 | 231 | pipe | ||
| 463 | 232 | pipe2 | ||
| 464 | 233 | poll | ||
| 465 | 234 | ppoll | ||
| 466 | 235 | |||
| 467 | 236 | # LP: #1446748 - support syscall arg filtering | ||
| 468 | 237 | prctl | ||
| 469 | 238 | arch_prctl | ||
| 470 | 239 | |||
| 471 | 240 | read | ||
| 472 | 241 | pread | ||
| 473 | 242 | pread64 | ||
| 474 | 243 | preadv | ||
| 475 | 244 | readv | ||
| 476 | 245 | |||
| 477 | 246 | readahead | ||
| 478 | 247 | readdir | ||
| 479 | 248 | readlink | ||
| 480 | 249 | readlinkat | ||
| 481 | 250 | remap_file_pages | ||
| 482 | 251 | |||
| 483 | 252 | removexattr | ||
| 484 | 253 | fremovexattr | ||
| 485 | 254 | lremovexattr | ||
| 486 | 255 | |||
| 487 | 256 | rename | ||
| 488 | 257 | renameat | ||
| 489 | 258 | renameat2 | ||
| 490 | 259 | |||
| 491 | 260 | # The man page says this shouldn't be needed, but we've seen denials for it | ||
| 492 | 261 | # in the wild | ||
| 493 | 262 | restart_syscall | ||
| 494 | 263 | |||
| 495 | 264 | rmdir | ||
| 496 | 265 | rt_sigaction | ||
| 497 | 266 | rt_sigpending | ||
| 498 | 267 | rt_sigprocmask | ||
| 499 | 268 | rt_sigqueueinfo | ||
| 500 | 269 | rt_sigreturn | ||
| 501 | 270 | rt_sigsuspend | ||
| 502 | 271 | rt_sigtimedwait | ||
| 503 | 272 | rt_tgsigqueueinfo | ||
| 504 | 273 | sched_getaffinity | ||
| 505 | 274 | sched_getattr | ||
| 506 | 275 | sched_getparam | ||
| 507 | 276 | sched_get_priority_max | ||
| 508 | 277 | sched_get_priority_min | ||
| 509 | 278 | sched_getscheduler | ||
| 510 | 279 | sched_rr_get_interval | ||
| 511 | 280 | # LP: #1446748 - when support syscall arg filtering, enforce pid_t is 0 so the | ||
| 512 | 281 | # app may only change its own scheduler | ||
| 513 | 282 | sched_setscheduler | ||
| 514 | 283 | |||
| 515 | 284 | sched_yield | ||
| 516 | 285 | |||
| 517 | 286 | select | ||
| 518 | 287 | _newselect | ||
| 519 | 288 | pselect | ||
| 520 | 289 | pselect6 | ||
| 521 | 290 | |||
| 522 | 291 | semctl | ||
| 523 | 292 | semget | ||
| 524 | 293 | semop | ||
| 525 | 294 | semtimedop | ||
| 526 | 295 | sendfile | ||
| 527 | 296 | sendfile64 | ||
| 528 | 297 | |||
| 529 | 298 | # snappy doesn't currently support per-app UID/GIDs so don't allow this family | ||
| 530 | 299 | # of syscalls. To properly support these, we need to have syscall arg filtering | ||
| 531 | 300 | # (LP: #1446748) and per-app UID/GIDs. | ||
| 532 | 301 | #setgid | ||
| 533 | 302 | #setgid32 | ||
| 534 | 303 | #setgroups | ||
| 535 | 304 | #setgroups32 | ||
| 536 | 305 | #setregid | ||
| 537 | 306 | #setregid32 | ||
| 538 | 307 | #setresgid | ||
| 539 | 308 | #setresgid32 | ||
| 540 | 309 | #setresuid | ||
| 541 | 310 | #setresuid32 | ||
| 542 | 311 | #setreuid | ||
| 543 | 312 | #setreuid32 | ||
| 544 | 313 | #setuid | ||
| 545 | 314 | #setuid32 | ||
| 546 | 315 | |||
| 547 | 316 | # These break isolation but are common and can't be mediated at the seccomp | ||
| 548 | 317 | # level with arg filtering | ||
| 549 | 318 | setpgid | ||
| 550 | 319 | setpgrp | ||
| 551 | 320 | |||
| 552 | 321 | set_thread_area | ||
| 553 | 322 | setitimer | ||
| 554 | 323 | |||
| 555 | 324 | # apps don't have CAP_SYS_RESOURCE so these can't be abused to raise the hard | ||
| 556 | 325 | # limits | ||
| 557 | 326 | setrlimit | ||
| 558 | 327 | prlimit64 | ||
| 559 | 328 | |||
| 560 | 329 | set_mempolicy | ||
| 561 | 330 | set_robust_list | ||
| 562 | 331 | setsid | ||
| 563 | 332 | set_tid_address | ||
| 564 | 333 | |||
| 565 | 334 | setxattr | ||
| 566 | 335 | fsetxattr | ||
| 567 | 336 | lsetxattr | ||
| 568 | 337 | |||
| 569 | 338 | shmat | ||
| 570 | 339 | shmctl | ||
| 571 | 340 | shmdt | ||
| 572 | 341 | shmget | ||
| 573 | 342 | signal | ||
| 574 | 343 | sigaction | ||
| 575 | 344 | signalfd | ||
| 576 | 345 | signalfd4 | ||
| 577 | 346 | sigaltstack | ||
| 578 | 347 | sigpending | ||
| 579 | 348 | sigprocmask | ||
| 580 | 349 | sigreturn | ||
| 581 | 350 | sigsuspend | ||
| 582 | 351 | sigtimedwait | ||
| 583 | 352 | sigwaitinfo | ||
| 584 | 353 | |||
| 585 | 354 | # Per man page, on Linux this is limited to only AF_UNIX so it is ok to have | ||
| 586 | 355 | # in the default template | ||
| 587 | 356 | socketpair | ||
| 588 | 357 | |||
| 589 | 358 | splice | ||
| 590 | 359 | |||
| 591 | 360 | stat | ||
| 592 | 361 | stat64 | ||
| 593 | 362 | fstat | ||
| 594 | 363 | fstat64 | ||
| 595 | 364 | fstatat64 | ||
| 596 | 365 | lstat | ||
| 597 | 366 | newfstatat | ||
| 598 | 367 | oldfstat | ||
| 599 | 368 | oldlstat | ||
| 600 | 369 | oldstat | ||
| 601 | 370 | |||
| 602 | 371 | statfs | ||
| 603 | 372 | statfs64 | ||
| 604 | 373 | fstatfs | ||
| 605 | 374 | fstatfs64 | ||
| 606 | 375 | statvfs | ||
| 607 | 376 | fstatvfs | ||
| 608 | 377 | ustat | ||
| 609 | 378 | |||
| 610 | 379 | symlink | ||
| 611 | 380 | symlinkat | ||
| 612 | 381 | |||
| 613 | 382 | sync | ||
| 614 | 383 | sync_file_range | ||
| 615 | 384 | sync_file_range2 | ||
| 616 | 385 | arm_sync_file_range | ||
| 617 | 386 | fdatasync | ||
| 618 | 387 | fsync | ||
| 619 | 388 | syncfs | ||
| 620 | 389 | sysinfo | ||
| 621 | 390 | syslog | ||
| 622 | 391 | tee | ||
| 623 | 392 | tgkill | ||
| 624 | 393 | time | ||
| 625 | 394 | timer_create | ||
| 626 | 395 | timer_delete | ||
| 627 | 396 | timer_getoverrun | ||
| 628 | 397 | timer_gettime | ||
| 629 | 398 | timer_settime | ||
| 630 | 399 | timerfd_create | ||
| 631 | 400 | timerfd_gettime | ||
| 632 | 401 | timerfd_settime | ||
| 633 | 402 | times | ||
| 634 | 403 | tkill | ||
| 635 | 404 | |||
| 636 | 405 | truncate | ||
| 637 | 406 | truncate64 | ||
| 638 | 407 | ftruncate | ||
| 639 | 408 | ftruncate64 | ||
| 640 | 409 | |||
| 641 | 410 | umask | ||
| 642 | 411 | |||
| 643 | 412 | uname | ||
| 644 | 413 | olduname | ||
| 645 | 414 | oldolduname | ||
| 646 | 415 | |||
| 647 | 416 | unlink | ||
| 648 | 417 | unlinkat | ||
| 649 | 418 | |||
| 650 | 419 | utime | ||
| 651 | 420 | utimensat | ||
| 652 | 421 | utimes | ||
| 653 | 422 | futimesat | ||
| 654 | 423 | |||
| 655 | 424 | vfork | ||
| 656 | 425 | vmsplice | ||
| 657 | 426 | wait4 | ||
| 658 | 427 | oldwait4 | ||
| 659 | 428 | waitpid | ||
| 660 | 429 | waitid | ||
| 661 | 430 | |||
| 662 | 431 | write | ||
| 663 | 432 | writev | ||
| 664 | 433 | pwrite | ||
| 665 | 434 | pwrite64 | ||
| 666 | 435 | pwritev | ||
| 667 | 436 | |||
| 668 | 437 | # Can communicate with DBus system service | ||
| 669 | 438 | accept | ||
| 670 | 439 | accept4 | ||
| 671 | 440 | bind | ||
| 672 | 441 | connect | ||
| 673 | 442 | getpeername | ||
| 674 | 443 | getsockname | ||
| 675 | 444 | getsockopt | ||
| 676 | 445 | listen | ||
| 677 | 446 | recv | ||
| 678 | 447 | recvfrom | ||
| 679 | 448 | recvmmsg | ||
| 680 | 449 | recvmsg | ||
| 681 | 450 | send | ||
| 682 | 451 | sendmmsg | ||
| 683 | 452 | sendmsg | ||
| 684 | 453 | sendto | ||
| 685 | 454 | setsockopt | ||
| 686 | 455 | shutdown | ||
| 687 | 456 | socketpair | ||
| 688 | 457 | socket | ||
| 689 | 458 | 0 | ||
| 690 | === removed file 'obex.apparmor' | |||
| 691 | --- obex.apparmor 2016-02-01 18:56:32 +0000 | |||
| 692 | +++ obex.apparmor 1970-01-01 00:00:00 +0000 | |||
| 693 | @@ -1,225 +0,0 @@ | |||
| 694 | 1 | # | ||
| 695 | 2 | # AppArmor confinement for bluez obexd | ||
| 696 | 3 | # | ||
| 697 | 4 | |||
| 698 | 5 | #include <tunables/global> | ||
| 699 | 6 | |||
| 700 | 7 | # Specified profile variables | ||
| 701 | 8 | ###VAR### | ||
| 702 | 9 | |||
| 703 | 10 | ###PROFILEATTACH### (attach_disconnected) { | ||
| 704 | 11 | #include <abstractions/base> | ||
| 705 | 12 | #include <abstractions/nameservice> | ||
| 706 | 13 | #include <abstractions/openssl> | ||
| 707 | 14 | |||
| 708 | 15 | # Explicitly deny ptrace for now since it can be abused to break out of the | ||
| 709 | 16 | # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823 | ||
| 710 | 17 | audit deny ptrace (trace), | ||
| 711 | 18 | |||
| 712 | 19 | # Explicitly deny mount, remount and umount | ||
| 713 | 20 | audit deny mount, | ||
| 714 | 21 | audit deny remount, | ||
| 715 | 22 | audit deny umount, | ||
| 716 | 23 | |||
| 717 | 24 | # Read-only for the install directory | ||
| 718 | 25 | @{CLICK_DIR}/@{APP_PKGNAME}/ r, | ||
| 719 | 26 | @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/ r, | ||
| 720 | 27 | @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/** mrklix, | ||
| 721 | 28 | |||
| 722 | 29 | # Read-only home area for other versions | ||
| 723 | 30 | owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/ r, | ||
| 724 | 31 | owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/ r, | ||
| 725 | 32 | owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** mrkix, | ||
| 726 | 33 | |||
| 727 | 34 | # Writable home area for this version. | ||
| 728 | 35 | owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/ w, | ||
| 729 | 36 | owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** wl, | ||
| 730 | 37 | |||
| 731 | 38 | # Read-only system area for other versions | ||
| 732 | 39 | /var/lib/snaps/@{APP_PKGNAME}/ r, | ||
| 733 | 40 | /var/lib/snaps/@{APP_PKGNAME}/** mrkix, | ||
| 734 | 41 | |||
| 735 | 42 | # Writable system area only for this version | ||
| 736 | 43 | /var/lib/snaps/@{APP_PKGNAME}/@{APP_VERSION}/ w, | ||
| 737 | 44 | /var/lib/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** wl, | ||
| 738 | 45 | |||
| 739 | 46 | # The ubuntu-core-launcher creates an app-specific private restricted /tmp | ||
| 740 | 47 | # and will fail to launch the app if something goes wrong. As such, we can | ||
| 741 | 48 | # simply allow full access to /tmp. | ||
| 742 | 49 | /tmp/ r, | ||
| 743 | 50 | /tmp/** mrwlkix, | ||
| 744 | 51 | |||
| 745 | 52 | # Miscellaneous accesses | ||
| 746 | 53 | /etc/mime.types r, | ||
| 747 | 54 | @{PROC}/ r, | ||
| 748 | 55 | /etc/{,writable/}hostname r, | ||
| 749 | 56 | /etc/{,writable/}localtime r, | ||
| 750 | 57 | /etc/{,writable/}timezone r, | ||
| 751 | 58 | @{PROC}/sys/kernel/hostname r, | ||
| 752 | 59 | @{PROC}/sys/kernel/osrelease r, | ||
| 753 | 60 | @{PROC}/sys/fs/file-max r, | ||
| 754 | 61 | @{PROC}/sys/kernel/pid_max r, | ||
| 755 | 62 | # this leaks interface names and stats, but not in a way that is traceable | ||
| 756 | 63 | # to the user/device | ||
| 757 | 64 | @{PROC}/net/dev r, | ||
| 758 | 65 | |||
| 759 | 66 | # | ||
| 760 | 67 | # Various accesses that may or may not be required for your framework. | ||
| 761 | 68 | # Adjust as necessary for your services. | ||
| 762 | 69 | # | ||
| 763 | 70 | |||
| 764 | 71 | # Shell (do not usually need abstractions/bash) | ||
| 765 | 72 | #include <abstractions/consoles> | ||
| 766 | 73 | /bin/bash ixr, | ||
| 767 | 74 | /bin/dash ixr, | ||
| 768 | 75 | /etc/bash.bashrc r, | ||
| 769 | 76 | /usr/share/terminfo/** r, | ||
| 770 | 77 | /etc/inputrc r, | ||
| 771 | 78 | deny @{HOME}/.inputrc r, | ||
| 772 | 79 | # Common utilities for shell scripts | ||
| 773 | 80 | /{,usr/}bin/{,g,m}awk ixr, | ||
| 774 | 81 | /{,usr/}bin/basename ixr, | ||
| 775 | 82 | /{,usr/}bin/bunzip2 ixr, | ||
| 776 | 83 | /{,usr/}bin/bzcat ixr, | ||
| 777 | 84 | /{,usr/}bin/bzdiff ixr, | ||
| 778 | 85 | /{,usr/}bin/bzgrep ixr, | ||
| 779 | 86 | /{,usr/}bin/bzip2 ixr, | ||
| 780 | 87 | /{,usr/}bin/cat ixr, | ||
| 781 | 88 | /{,usr/}bin/chmod ixr, | ||
| 782 | 89 | /{,usr/}bin/cmp ixr, | ||
| 783 | 90 | /{,usr/}bin/cp ixr, | ||
| 784 | 91 | /{,usr/}bin/cpio ixr, | ||
| 785 | 92 | /{,usr/}bin/cut ixr, | ||
| 786 | 93 | /{,usr/}bin/date ixr, | ||
| 787 | 94 | /{,usr/}bin/dd ixr, | ||
| 788 | 95 | /{,usr/}bin/diff{,3} ixr, | ||
| 789 | 96 | /{,usr/}bin/dir ixr, | ||
| 790 | 97 | /{,usr/}bin/dirname ixr, | ||
| 791 | 98 | /{,usr/}bin/echo ixr, | ||
| 792 | 99 | /{,usr/}bin/{,e,f,r}grep ixr, | ||
| 793 | 100 | /{,usr/}bin/env ixr, | ||
| 794 | 101 | /{,usr/}bin/expr ixr, | ||
| 795 | 102 | /{,usr/}bin/false ixr, | ||
| 796 | 103 | /{,usr/}bin/find ixr, | ||
| 797 | 104 | /{,usr/}bin/fmt ixr, | ||
| 798 | 105 | /{,usr/}bin/getopt ixr, | ||
| 799 | 106 | /{,usr/}bin/head ixr, | ||
| 800 | 107 | /{,usr/}bin/hostname ixr, | ||
| 801 | 108 | /{,usr/}bin/id ixr, | ||
| 802 | 109 | /{,usr/}bin/igawk ixr, | ||
| 803 | 110 | /{,usr/}bin/kill ixr, | ||
| 804 | 111 | /{,usr/}bin/ldd ixr, | ||
| 805 | 112 | /{,usr/}bin/ln ixr, | ||
| 806 | 113 | /{,usr/}bin/line ixr, | ||
| 807 | 114 | /{,usr/}bin/link ixr, | ||
| 808 | 115 | /{,usr/}bin/logger ixr, | ||
| 809 | 116 | /{,usr/}bin/ls ixr, | ||
| 810 | 117 | /{,usr/}bin/md5sum ixr, | ||
| 811 | 118 | /{,usr/}bin/mkdir ixr, | ||
| 812 | 119 | /{,usr/}bin/mktemp ixr, | ||
| 813 | 120 | /{,usr/}bin/mv ixr, | ||
| 814 | 121 | /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial | ||
| 815 | 122 | /{,usr/}bin/pgrep ixr, | ||
| 816 | 123 | /{,usr/}bin/printenv ixr, | ||
| 817 | 124 | /{,usr/}bin/printf ixr, | ||
| 818 | 125 | /{,usr/}bin/ps ixr, | ||
| 819 | 126 | /{,usr/}bin/pwd ixr, | ||
| 820 | 127 | /{,usr/}bin/readlink ixr, | ||
| 821 | 128 | /{,usr/}bin/realpath ixr, | ||
| 822 | 129 | /{,usr/}bin/rev ixr, | ||
| 823 | 130 | /{,usr/}bin/rm ixr, | ||
| 824 | 131 | /{,usr/}bin/rmdir ixr, | ||
| 825 | 132 | /{,usr/}bin/sed ixr, | ||
| 826 | 133 | /{,usr/}bin/seq ixr, | ||
| 827 | 134 | /{,usr/}bin/sleep ixr, | ||
| 828 | 135 | /{,usr/}bin/sort ixr, | ||
| 829 | 136 | /{,usr/}bin/stat ixr, | ||
| 830 | 137 | /{,usr/}bin/tac ixr, | ||
| 831 | 138 | /{,usr/}bin/tail ixr, | ||
| 832 | 139 | /{,usr/}bin/tar ixr, | ||
| 833 | 140 | /{,usr/}bin/tee ixr, | ||
| 834 | 141 | /{,usr/}bin/test ixr, | ||
| 835 | 142 | /{,usr/}bin/tempfile ixr, | ||
| 836 | 143 | /{,usr/}bin/touch ixr, | ||
| 837 | 144 | /{,usr/}bin/tr ixr, | ||
| 838 | 145 | /{,usr/}bin/true ixr, | ||
| 839 | 146 | /{,usr/}bin/uname ixr, | ||
| 840 | 147 | /{,usr/}bin/uniq ixr, | ||
| 841 | 148 | /{,usr/}bin/unlink ixr, | ||
| 842 | 149 | /{,usr/}bin/unxz ixr, | ||
| 843 | 150 | /{,usr/}bin/unzip ixr, | ||
| 844 | 151 | /{,usr/}bin/vdir ixr, | ||
| 845 | 152 | /{,usr/}bin/wc ixr, | ||
| 846 | 153 | /{,usr/}bin/which ixr, | ||
| 847 | 154 | /{,usr/}bin/xargs ixr, | ||
| 848 | 155 | /{,usr/}bin/xz ixr, | ||
| 849 | 156 | /{,usr/}bin/yes ixr, | ||
| 850 | 157 | /{,usr/}bin/zcat ixr, | ||
| 851 | 158 | /{,usr/}bin/z{,e,f}grep ixr, | ||
| 852 | 159 | /{,usr/}bin/zip ixr, | ||
| 853 | 160 | /{,usr/}bin/zipgrep ixr, | ||
| 854 | 161 | /{,usr/}bin/uptime ixr, | ||
| 855 | 162 | @{PROC}/uptime r, | ||
| 856 | 163 | @{PROC}/loadavg r, | ||
| 857 | 164 | |||
| 858 | 165 | # | ||
| 859 | 166 | # Framework service/binary specific rules below here | ||
| 860 | 167 | # | ||
| 861 | 168 | network bluetooth, | ||
| 862 | 169 | |||
| 863 | 170 | capability net_admin, | ||
| 864 | 171 | capability net_bind_service, | ||
| 865 | 172 | |||
| 866 | 173 | # File accesses | ||
| 867 | 174 | /sys/bus/usb/drivers/btusb/ r, | ||
| 868 | 175 | /sys/bus/usb/drivers/btusb/** r, | ||
| 869 | 176 | /sys/class/bluetooth/ r, | ||
| 870 | 177 | /sys/devices/**/bluetooth/ rw, | ||
| 871 | 178 | /sys/devices/**/bluetooth/** rw, | ||
| 872 | 179 | /sys/devices/**/id/chassis_type r, | ||
| 873 | 180 | |||
| 874 | 181 | # TODO: use snappy hardware assignment for this once LP: #1498917 is fixed | ||
| 875 | 182 | /dev/rfkill rw, | ||
| 876 | 183 | |||
| 877 | 184 | # DBus accesses | ||
| 878 | 185 | #include <abstractions/dbus-strict> | ||
| 879 | 186 | dbus (send) | ||
| 880 | 187 | bus=system | ||
| 881 | 188 | path=/org/freedesktop/DBus | ||
| 882 | 189 | interface=org.freedesktop.DBus | ||
| 883 | 190 | member={Request,Release}Name | ||
| 884 | 191 | peer=(name=org.freedesktop.DBus), | ||
| 885 | 192 | |||
| 886 | 193 | dbus (send) | ||
| 887 | 194 | bus=system | ||
| 888 | 195 | path=/org/freedesktop/* | ||
| 889 | 196 | interface=org.freedesktop.DBus.Properties | ||
| 890 | 197 | peer=(label=unconfined), | ||
| 891 | 198 | |||
| 892 | 199 | dbus (send) | ||
| 893 | 200 | bus=system | ||
| 894 | 201 | path=/org/freedesktop/* | ||
| 895 | 202 | interface=org.freedesktop.DBus.ObjectManager | ||
| 896 | 203 | peer=(label=unconfined), | ||
| 897 | 204 | |||
| 898 | 205 | # Allow binding the service to the requested connection name | ||
| 899 | 206 | dbus (bind) | ||
| 900 | 207 | bus=system | ||
| 901 | 208 | name="org.bluez.obex", | ||
| 902 | 209 | |||
| 903 | 210 | # Allow traffic to/from our path and interface with any method | ||
| 904 | 211 | dbus (receive, send) | ||
| 905 | 212 | bus=system | ||
| 906 | 213 | path=/org/bluez{,/**} | ||
| 907 | 214 | interface=org.bluez.*, | ||
| 908 | 215 | |||
| 909 | 216 | # Allow traffic to/from org.freedesktop.DBus for bluez service | ||
| 910 | 217 | dbus (receive, send) | ||
| 911 | 218 | bus=system | ||
| 912 | 219 | path=/ | ||
| 913 | 220 | interface=org.freedesktop.DBus.**, | ||
| 914 | 221 | dbus (receive, send) | ||
| 915 | 222 | bus=system | ||
| 916 | 223 | path=/org/bluez{,/**} | ||
| 917 | 224 | interface=org.freedesktop.DBus.**, | ||
| 918 | 225 | } | ||
| 919 | 226 | 0 | ||
| 920 | === removed file 'obex.seccomp' | |||
| 921 | --- obex.seccomp 2016-01-28 01:28:49 +0000 | |||
| 922 | +++ obex.seccomp 1970-01-01 00:00:00 +0000 | |||
| 923 | @@ -1,457 +0,0 @@ | |||
| 924 | 1 | # | ||
| 925 | 2 | # Seccomp policy for bluez | ||
| 926 | 3 | # | ||
| 927 | 4 | |||
| 928 | 5 | # Dangerous syscalls that we don't ever want to allow | ||
| 929 | 6 | |||
| 930 | 7 | # kexec | ||
| 931 | 8 | # EXPLICITLY DENY kexec_load | ||
| 932 | 9 | |||
| 933 | 10 | # kernel modules | ||
| 934 | 11 | # EXPLICITLY DENY create_module | ||
| 935 | 12 | # EXPLICITLY DENY init_module | ||
| 936 | 13 | # EXPLICITLY DENY finit_module | ||
| 937 | 14 | # EXPLICITLY DENY delete_module | ||
| 938 | 15 | |||
| 939 | 16 | # these have a history of vulnerabilities, are not widely used, and | ||
| 940 | 17 | # open_by_handle_at has been used to break out of docker containers by brute | ||
| 941 | 18 | # forcing the handle value: http://stealth.openwall.net/xSports/shocker.c | ||
| 942 | 19 | # EXPLICITLY DENY name_to_handle_at | ||
| 943 | 20 | # EXPLICITLY DENY open_by_handle_at | ||
| 944 | 21 | |||
| 945 | 22 | # Explicitly deny ptrace since it can be abused to break out of the seccomp | ||
| 946 | 23 | # sandbox | ||
| 947 | 24 | # EXPLICITLY DENY ptrace | ||
| 948 | 25 | |||
| 949 | 26 | # Explicitly deny capability mknod so apps can't create devices | ||
| 950 | 27 | # EXPLICITLY DENY mknod | ||
| 951 | 28 | # EXPLICITLY DENY mknodat | ||
| 952 | 29 | |||
| 953 | 30 | # Explicitly deny (u)mount so apps can't change mounts in their namespace | ||
| 954 | 31 | # EXPLICITLY DENY mount | ||
| 955 | 32 | # EXPLICITLY DENY umount | ||
| 956 | 33 | # EXPLICITLY DENY umount2 | ||
| 957 | 34 | |||
| 958 | 35 | # Explicitly deny kernel keyring access | ||
| 959 | 36 | # EXPLICITLY DENY add_key | ||
| 960 | 37 | # EXPLICITLY DENY keyctl | ||
| 961 | 38 | # EXPLICITLY DENY request_key | ||
| 962 | 39 | |||
| 963 | 40 | # end dangerous syscalls | ||
| 964 | 41 | |||
| 965 | 42 | access | ||
| 966 | 43 | faccessat | ||
| 967 | 44 | |||
| 968 | 45 | alarm | ||
| 969 | 46 | brk | ||
| 970 | 47 | |||
| 971 | 48 | # ARM private syscalls | ||
| 972 | 49 | breakpoint | ||
| 973 | 50 | cacheflush | ||
| 974 | 51 | set_tls | ||
| 975 | 52 | usr26 | ||
| 976 | 53 | usr32 | ||
| 977 | 54 | |||
| 978 | 55 | capget | ||
| 979 | 56 | |||
| 980 | 57 | chdir | ||
| 981 | 58 | fchdir | ||
| 982 | 59 | |||
| 983 | 60 | # We can't effectively block file perms due to open() with O_CREAT, so allow | ||
| 984 | 61 | # chmod until we have syscall arg filtering (LP: #1446748) | ||
| 985 | 62 | chmod | ||
| 986 | 63 | fchmod | ||
| 987 | 64 | fchmodat | ||
| 988 | 65 | |||
| 989 | 66 | # snappy doesn't currently support per-app UID/GIDs so don't allow chown. To | ||
| 990 | 67 | # properly support chown, we need to have syscall arg filtering (LP: #1446748) | ||
| 991 | 68 | # and per-app UID/GIDs. | ||
| 992 | 69 | #chown | ||
| 993 | 70 | #chown32 | ||
| 994 | 71 | #fchown | ||
| 995 | 72 | #fchown32 | ||
| 996 | 73 | #fchownat | ||
| 997 | 74 | #lchown | ||
| 998 | 75 | #lchown32 | ||
| 999 | 76 | |||
| 1000 | 77 | clock_getres | ||
| 1001 | 78 | clock_gettime | ||
| 1002 | 79 | clock_nanosleep | ||
| 1003 | 80 | clone | ||
| 1004 | 81 | close | ||
| 1005 | 82 | creat | ||
| 1006 | 83 | dup | ||
| 1007 | 84 | dup2 | ||
| 1008 | 85 | dup3 | ||
| 1009 | 86 | epoll_create | ||
| 1010 | 87 | epoll_create1 | ||
| 1011 | 88 | epoll_ctl | ||
| 1012 | 89 | epoll_ctl_old | ||
| 1013 | 90 | epoll_pwait | ||
| 1014 | 91 | epoll_wait | ||
| 1015 | 92 | epoll_wait_old | ||
| 1016 | 93 | eventfd | ||
| 1017 | 94 | eventfd2 | ||
| 1018 | 95 | execve | ||
| 1019 | 96 | execveat | ||
| 1020 | 97 | _exit | ||
| 1021 | 98 | exit | ||
| 1022 | 99 | exit_group | ||
| 1023 | 100 | fallocate | ||
| 1024 | 101 | |||
| 1025 | 102 | # requires CAP_SYS_ADMIN | ||
| 1026 | 103 | #fanotify_init | ||
| 1027 | 104 | #fanotify_mark | ||
| 1028 | 105 | |||
| 1029 | 106 | fcntl | ||
| 1030 | 107 | fcntl64 | ||
| 1031 | 108 | flock | ||
| 1032 | 109 | fork | ||
| 1033 | 110 | ftime | ||
| 1034 | 111 | futex | ||
| 1035 | 112 | get_mempolicy | ||
| 1036 | 113 | get_robust_list | ||
| 1037 | 114 | get_thread_area | ||
| 1038 | 115 | getcpu | ||
| 1039 | 116 | getcwd | ||
| 1040 | 117 | getdents | ||
| 1041 | 118 | getdents64 | ||
| 1042 | 119 | getegid | ||
| 1043 | 120 | getegid32 | ||
| 1044 | 121 | geteuid | ||
| 1045 | 122 | geteuid32 | ||
| 1046 | 123 | getgid | ||
| 1047 | 124 | getgid32 | ||
| 1048 | 125 | getgroups | ||
| 1049 | 126 | getgroups32 | ||
| 1050 | 127 | getitimer | ||
| 1051 | 128 | getpgid | ||
| 1052 | 129 | getpgrp | ||
| 1053 | 130 | getpid | ||
| 1054 | 131 | getppid | ||
| 1055 | 132 | getpriority | ||
| 1056 | 133 | getrandom | ||
| 1057 | 134 | getresgid | ||
| 1058 | 135 | getresgid32 | ||
| 1059 | 136 | getresuid | ||
| 1060 | 137 | getresuid32 | ||
| 1061 | 138 | |||
| 1062 | 139 | getrlimit | ||
| 1063 | 140 | ugetrlimit | ||
| 1064 | 141 | |||
| 1065 | 142 | getrusage | ||
| 1066 | 143 | getsid | ||
| 1067 | 144 | gettid | ||
| 1068 | 145 | gettimeofday | ||
| 1069 | 146 | getuid | ||
| 1070 | 147 | getuid32 | ||
| 1071 | 148 | |||
| 1072 | 149 | getxattr | ||
| 1073 | 150 | fgetxattr | ||
| 1074 | 151 | lgetxattr | ||
| 1075 | 152 | |||
| 1076 | 153 | inotify_add_watch | ||
| 1077 | 154 | inotify_init | ||
| 1078 | 155 | inotify_init1 | ||
| 1079 | 156 | inotify_rm_watch | ||
| 1080 | 157 | |||
| 1081 | 158 | # Needed by shell | ||
| 1082 | 159 | ioctl | ||
| 1083 | 160 | |||
| 1084 | 161 | io_cancel | ||
| 1085 | 162 | io_destroy | ||
| 1086 | 163 | io_getevents | ||
| 1087 | 164 | io_setup | ||
| 1088 | 165 | io_submit | ||
| 1089 | 166 | ioprio_get | ||
| 1090 | 167 | # affects other processes, requires CAP_SYS_ADMIN. Potentially allow with | ||
| 1091 | 168 | # syscall filtering of (at least) IOPRIO_WHO_USER (LP: #1446748) | ||
| 1092 | 169 | #ioprio_set | ||
| 1093 | 170 | |||
| 1094 | 171 | ipc | ||
| 1095 | 172 | kill | ||
| 1096 | 173 | link | ||
| 1097 | 174 | linkat | ||
| 1098 | 175 | |||
| 1099 | 176 | listxattr | ||
| 1100 | 177 | llistxattr | ||
| 1101 | 178 | flistxattr | ||
| 1102 | 179 | |||
| 1103 | 180 | lseek | ||
| 1104 | 181 | llseek | ||
| 1105 | 182 | _llseek | ||
| 1106 | 183 | lstat | ||
| 1107 | 184 | lstat64 | ||
| 1108 | 185 | |||
| 1109 | 186 | madvise | ||
| 1110 | 187 | fadvise64 | ||
| 1111 | 188 | fadvise64_64 | ||
| 1112 | 189 | arm_fadvise64_64 | ||
| 1113 | 190 | |||
| 1114 | 191 | mbind | ||
| 1115 | 192 | mincore | ||
| 1116 | 193 | mkdir | ||
| 1117 | 194 | mkdirat | ||
| 1118 | 195 | mlock | ||
| 1119 | 196 | mlockall | ||
| 1120 | 197 | mmap | ||
| 1121 | 198 | mmap2 | ||
| 1122 | 199 | mprotect | ||
| 1123 | 200 | |||
| 1124 | 201 | # LP: #1448184 - these aren't currently mediated by AppArmor. Deny for now | ||
| 1125 | 202 | #mq_getsetattr | ||
| 1126 | 203 | #mq_notify | ||
| 1127 | 204 | #mq_open | ||
| 1128 | 205 | #mq_timedreceive | ||
| 1129 | 206 | #mq_timedsend | ||
| 1130 | 207 | #mq_unlink | ||
| 1131 | 208 | |||
| 1132 | 209 | mremap | ||
| 1133 | 210 | msgctl | ||
| 1134 | 211 | msgget | ||
| 1135 | 212 | msgrcv | ||
| 1136 | 213 | msgsnd | ||
| 1137 | 214 | msync | ||
| 1138 | 215 | munlock | ||
| 1139 | 216 | munlockall | ||
| 1140 | 217 | munmap | ||
| 1141 | 218 | |||
| 1142 | 219 | nanosleep | ||
| 1143 | 220 | |||
| 1144 | 221 | # LP: #1446748 - deny until we have syscall arg filtering. Alternatively, set | ||
| 1145 | 222 | # RLIMIT_NICE hard limit for apps, launch them under an appropriate nice value | ||
| 1146 | 223 | # and allow this call | ||
| 1147 | 224 | #nice | ||
| 1148 | 225 | |||
| 1149 | 226 | # LP: #1446748 - support syscall arg filtering for mode_t with O_CREAT | ||
| 1150 | 227 | open | ||
| 1151 | 228 | |||
| 1152 | 229 | openat | ||
| 1153 | 230 | pause | ||
| 1154 | 231 | pipe | ||
| 1155 | 232 | pipe2 | ||
| 1156 | 233 | poll | ||
| 1157 | 234 | ppoll | ||
| 1158 | 235 | |||
| 1159 | 236 | # LP: #1446748 - support syscall arg filtering | ||
| 1160 | 237 | prctl | ||
| 1161 | 238 | arch_prctl | ||
| 1162 | 239 | |||
| 1163 | 240 | read | ||
| 1164 | 241 | pread | ||
| 1165 | 242 | pread64 | ||
| 1166 | 243 | preadv | ||
| 1167 | 244 | readv | ||
| 1168 | 245 | |||
| 1169 | 246 | readahead | ||
| 1170 | 247 | readdir | ||
| 1171 | 248 | readlink | ||
| 1172 | 249 | readlinkat | ||
| 1173 | 250 | remap_file_pages | ||
| 1174 | 251 | |||
| 1175 | 252 | removexattr | ||
| 1176 | 253 | fremovexattr | ||
| 1177 | 254 | lremovexattr | ||
| 1178 | 255 | |||
| 1179 | 256 | rename | ||
| 1180 | 257 | renameat | ||
| 1181 | 258 | renameat2 | ||
| 1182 | 259 | |||
| 1183 | 260 | # The man page says this shouldn't be needed, but we've seen denials for it | ||
| 1184 | 261 | # in the wild | ||
| 1185 | 262 | restart_syscall | ||
| 1186 | 263 | |||
| 1187 | 264 | rmdir | ||
| 1188 | 265 | rt_sigaction | ||
| 1189 | 266 | rt_sigpending | ||
| 1190 | 267 | rt_sigprocmask | ||
| 1191 | 268 | rt_sigqueueinfo | ||
| 1192 | 269 | rt_sigreturn | ||
| 1193 | 270 | rt_sigsuspend | ||
| 1194 | 271 | rt_sigtimedwait | ||
| 1195 | 272 | rt_tgsigqueueinfo | ||
| 1196 | 273 | sched_getaffinity | ||
| 1197 | 274 | sched_getattr | ||
| 1198 | 275 | sched_getparam | ||
| 1199 | 276 | sched_get_priority_max | ||
| 1200 | 277 | sched_get_priority_min | ||
| 1201 | 278 | sched_getscheduler | ||
| 1202 | 279 | sched_rr_get_interval | ||
| 1203 | 280 | # LP: #1446748 - when support syscall arg filtering, enforce pid_t is 0 so the | ||
| 1204 | 281 | # app may only change its own scheduler | ||
| 1205 | 282 | sched_setscheduler | ||
| 1206 | 283 | |||
| 1207 | 284 | sched_yield | ||
| 1208 | 285 | |||
| 1209 | 286 | select | ||
| 1210 | 287 | _newselect | ||
| 1211 | 288 | pselect | ||
| 1212 | 289 | pselect6 | ||
| 1213 | 290 | |||
| 1214 | 291 | semctl | ||
| 1215 | 292 | semget | ||
| 1216 | 293 | semop | ||
| 1217 | 294 | semtimedop | ||
| 1218 | 295 | sendfile | ||
| 1219 | 296 | sendfile64 | ||
| 1220 | 297 | |||
| 1221 | 298 | # snappy doesn't currently support per-app UID/GIDs so don't allow this family | ||
| 1222 | 299 | # of syscalls. To properly support these, we need to have syscall arg filtering | ||
| 1223 | 300 | # (LP: #1446748) and per-app UID/GIDs. | ||
| 1224 | 301 | #setgid | ||
| 1225 | 302 | #setgid32 | ||
| 1226 | 303 | #setgroups | ||
| 1227 | 304 | #setgroups32 | ||
| 1228 | 305 | #setregid | ||
| 1229 | 306 | #setregid32 | ||
| 1230 | 307 | #setresgid | ||
| 1231 | 308 | #setresgid32 | ||
| 1232 | 309 | #setresuid | ||
| 1233 | 310 | #setresuid32 | ||
| 1234 | 311 | #setreuid | ||
| 1235 | 312 | #setreuid32 | ||
| 1236 | 313 | #setuid | ||
| 1237 | 314 | #setuid32 | ||
| 1238 | 315 | |||
| 1239 | 316 | # These break isolation but are common and can't be mediated at the seccomp | ||
| 1240 | 317 | # level with arg filtering | ||
| 1241 | 318 | setpgid | ||
| 1242 | 319 | setpgrp | ||
| 1243 | 320 | |||
| 1244 | 321 | set_thread_area | ||
| 1245 | 322 | setitimer | ||
| 1246 | 323 | |||
| 1247 | 324 | # apps don't have CAP_SYS_RESOURCE so these can't be abused to raise the hard | ||
| 1248 | 325 | # limits | ||
| 1249 | 326 | setrlimit | ||
| 1250 | 327 | prlimit64 | ||
| 1251 | 328 | |||
| 1252 | 329 | set_mempolicy | ||
| 1253 | 330 | set_robust_list | ||
| 1254 | 331 | setsid | ||
| 1255 | 332 | set_tid_address | ||
| 1256 | 333 | |||
| 1257 | 334 | setxattr | ||
| 1258 | 335 | fsetxattr | ||
| 1259 | 336 | lsetxattr | ||
| 1260 | 337 | |||
| 1261 | 338 | shmat | ||
| 1262 | 339 | shmctl | ||
| 1263 | 340 | shmdt | ||
| 1264 | 341 | shmget | ||
| 1265 | 342 | signal | ||
| 1266 | 343 | sigaction | ||
| 1267 | 344 | signalfd | ||
| 1268 | 345 | signalfd4 | ||
| 1269 | 346 | sigaltstack | ||
| 1270 | 347 | sigpending | ||
| 1271 | 348 | sigprocmask | ||
| 1272 | 349 | sigreturn | ||
| 1273 | 350 | sigsuspend | ||
| 1274 | 351 | sigtimedwait | ||
| 1275 | 352 | sigwaitinfo | ||
| 1276 | 353 | |||
| 1277 | 354 | # Per man page, on Linux this is limited to only AF_UNIX so it is ok to have | ||
| 1278 | 355 | # in the default template | ||
| 1279 | 356 | socketpair | ||
| 1280 | 357 | |||
| 1281 | 358 | splice | ||
| 1282 | 359 | |||
| 1283 | 360 | stat | ||
| 1284 | 361 | stat64 | ||
| 1285 | 362 | fstat | ||
| 1286 | 363 | fstat64 | ||
| 1287 | 364 | fstatat64 | ||
| 1288 | 365 | lstat | ||
| 1289 | 366 | newfstatat | ||
| 1290 | 367 | oldfstat | ||
| 1291 | 368 | oldlstat | ||
| 1292 | 369 | oldstat | ||
| 1293 | 370 | |||
| 1294 | 371 | statfs | ||
| 1295 | 372 | statfs64 | ||
| 1296 | 373 | fstatfs | ||
| 1297 | 374 | fstatfs64 | ||
| 1298 | 375 | statvfs | ||
| 1299 | 376 | fstatvfs | ||
| 1300 | 377 | ustat | ||
| 1301 | 378 | |||
| 1302 | 379 | symlink | ||
| 1303 | 380 | symlinkat | ||
| 1304 | 381 | |||
| 1305 | 382 | sync | ||
| 1306 | 383 | sync_file_range | ||
| 1307 | 384 | sync_file_range2 | ||
| 1308 | 385 | arm_sync_file_range | ||
| 1309 | 386 | fdatasync | ||
| 1310 | 387 | fsync | ||
| 1311 | 388 | syncfs | ||
| 1312 | 389 | sysinfo | ||
| 1313 | 390 | syslog | ||
| 1314 | 391 | tee | ||
| 1315 | 392 | tgkill | ||
| 1316 | 393 | time | ||
| 1317 | 394 | timer_create | ||
| 1318 | 395 | timer_delete | ||
| 1319 | 396 | timer_getoverrun | ||
| 1320 | 397 | timer_gettime | ||
| 1321 | 398 | timer_settime | ||
| 1322 | 399 | timerfd_create | ||
| 1323 | 400 | timerfd_gettime | ||
| 1324 | 401 | timerfd_settime | ||
| 1325 | 402 | times | ||
| 1326 | 403 | tkill | ||
| 1327 | 404 | |||
| 1328 | 405 | truncate | ||
| 1329 | 406 | truncate64 | ||
| 1330 | 407 | ftruncate | ||
| 1331 | 408 | ftruncate64 | ||
| 1332 | 409 | |||
| 1333 | 410 | umask | ||
| 1334 | 411 | |||
| 1335 | 412 | uname | ||
| 1336 | 413 | olduname | ||
| 1337 | 414 | oldolduname | ||
| 1338 | 415 | |||
| 1339 | 416 | unlink | ||
| 1340 | 417 | unlinkat | ||
| 1341 | 418 | |||
| 1342 | 419 | utime | ||
| 1343 | 420 | utimensat | ||
| 1344 | 421 | utimes | ||
| 1345 | 422 | futimesat | ||
| 1346 | 423 | |||
| 1347 | 424 | vfork | ||
| 1348 | 425 | vmsplice | ||
| 1349 | 426 | wait4 | ||
| 1350 | 427 | oldwait4 | ||
| 1351 | 428 | waitpid | ||
| 1352 | 429 | waitid | ||
| 1353 | 430 | |||
| 1354 | 431 | write | ||
| 1355 | 432 | writev | ||
| 1356 | 433 | pwrite | ||
| 1357 | 434 | pwrite64 | ||
| 1358 | 435 | pwritev | ||
| 1359 | 436 | |||
| 1360 | 437 | # Can communicate with DBus system service | ||
| 1361 | 438 | accept | ||
| 1362 | 439 | accept4 | ||
| 1363 | 440 | bind | ||
| 1364 | 441 | connect | ||
| 1365 | 442 | getpeername | ||
| 1366 | 443 | getsockname | ||
| 1367 | 444 | getsockopt | ||
| 1368 | 445 | listen | ||
| 1369 | 446 | recv | ||
| 1370 | 447 | recvfrom | ||
| 1371 | 448 | recvmmsg | ||
| 1372 | 449 | recvmsg | ||
| 1373 | 450 | send | ||
| 1374 | 451 | sendmmsg | ||
| 1375 | 452 | sendmsg | ||
| 1376 | 453 | sendto | ||
| 1377 | 454 | setsockopt | ||
| 1378 | 455 | shutdown | ||
| 1379 | 456 | socketpair | ||
| 1380 | 457 | socket | ||
| 1381 | 458 | 0 | ||
| 1382 | === modified file 'parts/plugins/x-autotools.py' | |||
| 1383 | --- parts/plugins/x-autotools.py 2016-04-20 17:42:41 +0000 | |||
| 1384 | +++ parts/plugins/x-autotools.py 2016-04-20 17:42:41 +0000 | |||
| 1385 | @@ -72,8 +72,8 @@ | |||
| 1386 | 72 | 72 | ||
| 1387 | 73 | return schema | 73 | return schema |
| 1388 | 74 | 74 | ||
| 1391 | 75 | def __init__(self, name, options): | 75 | def __init__(self, name, options, project): |
| 1392 | 76 | super().__init__(name, options) | 76 | super().__init__(name, options, project) |
| 1393 | 77 | self.build_packages.extend([ | 77 | self.build_packages.extend([ |
| 1394 | 78 | 'autoconf', | 78 | 'autoconf', |
| 1395 | 79 | 'automake', | 79 | 'automake', |
| 1396 | @@ -126,5 +126,5 @@ | |||
| 1397 | 126 | 126 | ||
| 1398 | 127 | self.run(configure_command + self.options.configflags) | 127 | self.run(configure_command + self.options.configflags) |
| 1399 | 128 | self.run(['make', '-j{}'.format( | 128 | self.run(['make', '-j{}'.format( |
| 1401 | 129 | snapcraft.common.get_parallel_build_count())]) | 129 | self.project.parallel_build_count)]) |
| 1402 | 130 | self.run(make_install_command) | 130 | self.run(make_install_command) |
| 1403 | 131 | 131 | ||
| 1404 | === modified file 'snapcraft.yaml' | |||
| 1405 | --- snapcraft.yaml 2016-04-20 17:42:41 +0000 | |||
| 1406 | +++ snapcraft.yaml 2016-04-20 17:42:41 +0000 | |||
| 1407 | @@ -9,32 +9,24 @@ | |||
| 1408 | 9 | apps: | 9 | apps: |
| 1409 | 10 | bluetoothctl: | 10 | bluetoothctl: |
| 1410 | 11 | command: usr/bin/bluetoothctl | 11 | command: usr/bin/bluetoothctl |
| 1412 | 12 | uses: [bluez-client] | 12 | plugs: [client] |
| 1413 | 13 | obexctl: | 13 | obexctl: |
| 1414 | 14 | command: usr/bin/obexctl | 14 | command: usr/bin/obexctl |
| 1416 | 15 | uses: [bluez-client] | 15 | plugs: [client] |
| 1417 | 16 | bluez: | 16 | bluez: |
| 1418 | 17 | command: "usr/lib/bluetooth/bluetoothd -E" | 17 | command: "usr/lib/bluetooth/bluetoothd -E" |
| 1419 | 18 | daemon: simple | 18 | daemon: simple |
| 1421 | 19 | uses: [bluez-service] | 19 | slots: [service] |
| 1422 | 20 | obex: | 20 | obex: |
| 1423 | 21 | command: "usr/lib/bluetooth/obexd" | 21 | command: "usr/lib/bluetooth/obexd" |
| 1424 | 22 | daemon: simple | 22 | daemon: simple |
| 1440 | 23 | uses: [obex-service] | 23 | slots: [service] |
| 1441 | 24 | uses: | 24 | plugs: |
| 1442 | 25 | bluez-client: | 25 | client: |
| 1443 | 26 | type: migration-skill | 26 | interface: bluez |
| 1444 | 27 | caps: [bluez_client] | 27 | slots: |
| 1445 | 28 | bluez-service: | 28 | service: |
| 1446 | 29 | type: migration-skill | 29 | interface: bluez |
| 1432 | 30 | security-policy: | ||
| 1433 | 31 | apparmor: bluez.apparmor | ||
| 1434 | 32 | seccomp: bluez.seccomp | ||
| 1435 | 33 | obex-service: | ||
| 1436 | 34 | type: migration-skill | ||
| 1437 | 35 | security-policy: | ||
| 1438 | 36 | apparmor: obex.apparmor | ||
| 1439 | 37 | seccomp: obex.seccomp | ||
| 1447 | 38 | 30 | ||
| 1448 | 39 | parts: | 31 | parts: |
| 1449 | 40 | bluez: | 32 | bluez: |
| 1450 | @@ -74,7 +66,5 @@ | |||
| 1451 | 74 | dbus-configuration: | 66 | dbus-configuration: |
| 1452 | 75 | plugin: copy | 67 | plugin: copy |
| 1453 | 76 | files: | 68 | files: |
| 1454 | 77 | conf/bluez-dbus.conf: conf/bluez-dbus.conf | ||
| 1455 | 78 | meta/framework-policy: meta/framework-policy | ||
| 1456 | 79 | copyright: usr/share/doc/bluez/copyright | 69 | copyright: usr/share/doc/bluez/copyright |
| 1457 | 80 | doc/overview.md: usr/share/doc/bluez/overview.md | 70 | doc/overview.md: usr/share/doc/bluez/overview.md |
Left one naming related comment inline but otherwise LGTM