~intrigeri/apparmor-profiles/+git/apparmor-profiles:gnome-3.26

Branch merges

Propose for merging

Merged into ~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master at revision 8ec53e275a33f7450f9515f7dff199731b656777

intrigeri: Approve on 2017-10-26

Steve Beattie: Approve on 2017-10-26

Diff: 77 lines (+15/-2)

4 files modified

ubuntu/17.10/abstractions/gstreamer (+7/-1)
ubuntu/17.10/abstractions/totem (+2/-1)
ubuntu/17.10/gst_plugin_scanner (+3/-0)
ubuntu/17.10/usr.bin.totem (+3/-0)

api

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

a28e823... by intrigeri on 2017-10-25

Totem abstraction: enable environment variable scrubbing back when transitioning to the gst_plugin_scanner profile.

We did this previously with Cix this got lost in
commit 2f857ea791aef3d4bf6e038d3970e9cf9f3ed3a2.

7764621... by intrigeri on 2017-10-25

Add permissions needed by recent GStreamer

… at least on Linux 4.14.

953797e... by intrigeri on 2017-10-25

Totem: allow killing unconfined processes.

This is needed so Totem can kill bwrap processes it has spawned.
Once we confine bwrap we will need to adjust the peer= argument;
there's no way we forget as this signal rule won't match anymore,
so the denials this rule fixes right now will come back.

2f857ea... by intrigeri on 2017-10-25

Totem abstraction: fix transition to gst_plugin_scanner profile.

Apparently the behavior of "Cix -> profile" has changed; I think it used to
(incorrectly?) accept to transition to a non-child profile whose name didn't
match the executable name, and now seems to be simply ignored. I'll consider
this as a bugfix. Let's use px instead, which works and matches more closely
what we want here.

89a4823... by Vincas Dargis on 2017-10-11

Totem: fix brwap qualifier

Use pux instead of Pux for bwap, because it was original intention
(not to scrub $HOME which is needed). Also, Pux is deprecated and
produces aa-logprof error.

2194269... by intrigeri on 2017-09-20

Totem: allow running bubblewrap (bwrap) unconfined.

bwrap is setuid root and requires so many admin privileges that it has to be
trusted and it makes little sense confining it ourselves.

We don't scrub environment variables because bwrap will reuse $HOME
(see bwrap(1)) and clean the environment itself.

The corresponding discussion starts at
https://lists.ubuntu.com/archives/apparmor/2017-September/011064.html

ea46d1b... by intrigeri on 2017-09-20

Totem abstraction: allow read-write access to Tracker's journal.

bfc0bff... by Steve Beattie on 2017-09-08

Merge stricter totem and totem rules fixes branch from intrigeri

8bce824... by Steve Beattie on 2017-09-08

Merge dropping of obsolete /dev/.udev evolution rule from intrigeri

55c33e6... by intrigeri on 2017-07-25

Totem: grant access to ~/.cache/mesa/**.

According to https://bugs.debian.org/867692, that's now needed on some systems
once the changes brought by this branch are applied.