AppArmor

Merge lp:~cmiller/apparmor/chromiumbrowser-fcitx-abstraction into lp:apparmor/2.12

  1. chromiumbrowser-fcitx-abstraction
  2. Merge into master
Proposed by Chad Miller
Status: Rejected
Rejected by: Steve Beattie
Proposed branch: lp:~cmiller/apparmor/chromiumbrowser-fcitx-abstraction
Merge into: lp:apparmor/2.12
Diff against target: 59 lines (+43/-1)
2 files modified
profiles/apparmor.d/abstractions/dbus-accessibility-strict (+1/-1)
profiles/apparmor.d/abstractions/fcitx (+42/-0)
To merge this branch: bzr merge lp:~cmiller/apparmor/chromiumbrowser-fcitx-abstraction
Reviewer Review Type Date Requested Status
Tyler Hicks Needs Fixing
Review via email: mp+282214@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Thanks for putting this merge together, Chad. Questions/comments:

1) I'm surprised that you don't have to grant access to the Hello method on the org.freedesktop.DBus interface. Calling that method is typically required when connecting to a bus. Is that not the case with the fcitx bus?

2) Can you add 'peer=(name=org.freedesktop.DBus)' to the rules on the rules that specificy the org.freedesktop.DBus and org.freedesktop.DBus.Properties interfaces? See abstractions/dbus-accessibility-strict for a good example.

3) I'd suggest combining the last set of rules into a single rule, ala abstractions/dbus-accessibility-strict.

4) I looked at what fcitx documentation that I could find and granting access to all of the org.fcitx.Fcitx.InputContext interface and to CreateICv3 seems relatively safe so I think the first two rules are fine.

Thanks again!

review: Needs Fixing
lp:~cmiller/apparmor/chromiumbrowser-fcitx-abstraction updated
3336. By Chad Miller

Split into two pieces. The first updates the strict ruleset for the
accessibility facilities' dbus access, and adds some missing member calls like
Hello. The other groups members in fcitx abstraction together nicer.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

I've left inline comments in hopes that it is clear what specific rules I'm talking about.

review: Needs Fixing
lp:~cmiller/apparmor/chromiumbrowser-fcitx-abstraction updated
3337. By Chad Miller

Un-splitting. Reverting dbus-accessibility-strict.

Remove unneeded rules.

3338. By Chad Miller

Finish separating accessibility rules.

Revision history for this message
Steve Beattie (sbeattie) wrote :

This is superceded by the commit http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3479 , closing.

Thanks!

Unmerged revisions

3338. By Chad Miller

Finish separating accessibility rules.

3337. By Chad Miller

Un-splitting. Reverting dbus-accessibility-strict.

Remove unneeded rules.

3336. By Chad Miller

Split into two pieces. The first updates the strict ruleset for the
accessibility facilities' dbus access, and adds some missing member calls like
Hello. The other groups members in fcitx abstraction together nicer.

3335. By Chad Miller

Create a new input-method abstraction: pass through dbus method calls and
responses relating to the FCITX input method

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'profiles/apparmor.d/abstractions/dbus-accessibility-strict'
2--- profiles/apparmor.d/abstractions/dbus-accessibility-strict 2014-01-10 21:35:30 +0000
3+++ profiles/apparmor.d/abstractions/dbus-accessibility-strict 2016-01-15 15:03:10 +0000
4@@ -1,7 +1,7 @@
5 # vim:syntax=apparmor
6 # ------------------------------------------------------------------
7 #
8-# Copyright (C) 2013 Canonical Ltd.
9+# Copyright (C) 2013, 2016 Canonical Ltd.
10 #
11 # This program is free software; you can redistribute it and/or
12 # modify it under the terms of version 2 of the GNU General Public
13
14=== added file 'profiles/apparmor.d/abstractions/fcitx'
15--- profiles/apparmor.d/abstractions/fcitx 1970-01-01 00:00:00 +0000
16+++ profiles/apparmor.d/abstractions/fcitx 2016-01-15 15:03:10 +0000
17@@ -0,0 +1,42 @@
18+# vim:syntax=apparmor
19+# ------------------------------------------------------------------
20+#
21+# Copyright (C) 2016 Canonical Ltd.
22+#
23+# This program is free software; you can redistribute it and/or
24+# modify it under the terms of version 2 of the GNU General Public
25+# License published by the Free Software Foundation.
26+#
27+# ------------------------------------------------------------------
28+ # abstraction for fcitx input methods
29+
30+ dbus send
31+ bus=fcitx
32+ path=/org/freedesktop/DBus
33+ interface=org.freedesktop.DBus
34+ member={Hello,AddMatch,RemoveMatch,GetNameOwner,StartServiceByName}
35+ peer=(name=org.freedesktop.DBus),
36+
37+ dbus send
38+ bus=fcitx
39+ path=/org/freedesktop/DBus
40+ interface=org.freedesktop.DBus.Properties
41+ member=GetAll
42+ peer=(name=org.freedesktop.DBus),
43+
44+ dbus send
45+ bus=fcitx
46+ path=/inputmethod
47+ interface=org.fcitx.Fcitx.InputMethod
48+ member=CreateICv3,
49+
50+ dbus (send,receive)
51+ bus=fcitx
52+ interface=org.fcitx.Fcitx.InputContext,
53+
54+ dbus send
55+ bus=fcitx
56+ path=/inputcontext_[0-9]*
57+ interface=org.freedesktop.DBus.Properties
58+ member=GetAll,
59+

Subscribers

People subscribed via source and target branches