AppArmor

Merge lp:~cmiller/apparmor/chromiumbrowser-fcitx-abstraction into lp:apparmor/2.12

  1. chromiumbrowser-fcitx-abstraction
  2. Merge into master
Proposed by Chad Miller
Status: Rejected
Rejected by: Steve Beattie
Proposed branch: lp:~cmiller/apparmor/chromiumbrowser-fcitx-abstraction
Merge into: lp:apparmor/2.12
Diff against target: 59 lines (+43/-1)
2 files modified
profiles/apparmor.d/abstractions/dbus-accessibility-strict (+1/-1)
profiles/apparmor.d/abstractions/fcitx (+42/-0)
To merge this branch: bzr merge lp:~cmiller/apparmor/chromiumbrowser-fcitx-abstraction
Reviewer Review Type Date Requested Status
Tyler Hicks Needs Fixing
Review via email: mp+282214@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Tyler Hicks (tyhicks) wrote :

Thanks for putting this merge together, Chad. Questions/comments:

1) I'm surprised that you don't have to grant access to the Hello method on the org.freedesktop.DBus interface. Calling that method is typically required when connecting to a bus. Is that not the case with the fcitx bus?

2) Can you add 'peer=(name=org.freedesktop.DBus)' to the rules on the rules that specificy the org.freedesktop.DBus and org.freedesktop.DBus.Properties interfaces? See abstractions/dbus-accessibility-strict for a good example.

3) I'd suggest combining the last set of rules into a single rule, ala abstractions/dbus-accessibility-strict.

4) I looked at what fcitx documentation that I could find and granting access to all of the org.fcitx.Fcitx.InputContext interface and to CreateICv3 seems relatively safe so I think the first two rules are fine.

Thanks again!

review: Needs Fixing
lp:~cmiller/apparmor/chromiumbrowser-fcitx-abstraction updated
3336. By Chad Miller

Split into two pieces. The first updates the strict ruleset for the
accessibility facilities' dbus access, and adds some missing member calls like
Hello. The other groups members in fcitx abstraction together nicer.

Revision history for this message
Tyler Hicks (tyhicks) wrote :

I've left inline comments in hopes that it is clear what specific rules I'm talking about.

review: Needs Fixing
lp:~cmiller/apparmor/chromiumbrowser-fcitx-abstraction updated
3337. By Chad Miller

Un-splitting. Reverting dbus-accessibility-strict.

Remove unneeded rules.

3338. By Chad Miller

Finish separating accessibility rules.

Revision history for this message
Steve Beattie (sbeattie) wrote :

This is superceded by the commit http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/revision/3479 , closing.

Thanks!

Unmerged revisions

3338. By Chad Miller

Finish separating accessibility rules.

3337. By Chad Miller

Un-splitting. Reverting dbus-accessibility-strict.

Remove unneeded rules.

3336. By Chad Miller

Split into two pieces. The first updates the strict ruleset for the
accessibility facilities' dbus access, and adds some missing member calls like
Hello. The other groups members in fcitx abstraction together nicer.

3335. By Chad Miller

Create a new input-method abstraction: pass through dbus method calls and
responses relating to the FCITX input method

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'profiles/apparmor.d/abstractions/dbus-accessibility-strict'
--- profiles/apparmor.d/abstractions/dbus-accessibility-strict 2014-01-10 21:35:30 +0000
+++ profiles/apparmor.d/abstractions/dbus-accessibility-strict 2016-01-15 15:03:10 +0000
@@ -1,7 +1,7 @@
1# vim:syntax=apparmor1# vim:syntax=apparmor
2# ------------------------------------------------------------------2# ------------------------------------------------------------------
3#3#
4# Copyright (C) 2013 Canonical Ltd.4# Copyright (C) 2013, 2016 Canonical Ltd.
5#5#
6# This program is free software; you can redistribute it and/or6# This program is free software; you can redistribute it and/or
7# modify it under the terms of version 2 of the GNU General Public7# modify it under the terms of version 2 of the GNU General Public
88
=== added file 'profiles/apparmor.d/abstractions/fcitx'
--- profiles/apparmor.d/abstractions/fcitx 1970-01-01 00:00:00 +0000
+++ profiles/apparmor.d/abstractions/fcitx 2016-01-15 15:03:10 +0000
@@ -0,0 +1,42 @@
1# vim:syntax=apparmor
2# ------------------------------------------------------------------
3#
4# Copyright (C) 2016 Canonical Ltd.
5#
6# This program is free software; you can redistribute it and/or
7# modify it under the terms of version 2 of the GNU General Public
8# License published by the Free Software Foundation.
9#
10# ------------------------------------------------------------------
11 # abstraction for fcitx input methods
12
13 dbus send
14 bus=fcitx
15 path=/org/freedesktop/DBus
16 interface=org.freedesktop.DBus
17 member={Hello,AddMatch,RemoveMatch,GetNameOwner,StartServiceByName}
18 peer=(name=org.freedesktop.DBus),
19
20 dbus send
21 bus=fcitx
22 path=/org/freedesktop/DBus
23 interface=org.freedesktop.DBus.Properties
24 member=GetAll
25 peer=(name=org.freedesktop.DBus),
26
27 dbus send
28 bus=fcitx
29 path=/inputmethod
30 interface=org.fcitx.Fcitx.InputMethod
31 member=CreateICv3,
32
33 dbus (send,receive)
34 bus=fcitx
35 interface=org.fcitx.Fcitx.InputContext,
36
37 dbus send
38 bus=fcitx
39 path=/inputcontext_[0-9]*
40 interface=org.freedesktop.DBus.Properties
41 member=GetAll,
42

Subscribers

People subscribed via source and target branches