AppArmor Profiles

Merge lp:~intrigeri/apparmor-profiles/gstreamer-abstraction into lp:apparmor-profiles

  1. gstreamer-abstraction
  2. Merge into master
Proposed by intrigeri
Status: Merged
Merged at revision: 134
Proposed branch: lp:~intrigeri/apparmor-profiles/gstreamer-abstraction
Merge into: lp:apparmor-profiles
Diff against target: 93 lines (+38/-16)
4 files modified
ubuntu/14.10/abstractions/gstreamer (+15/-0)
ubuntu/14.10/abstractions/totem (+2/-9)
ubuntu/14.10/gst_plugin_scanner (+21/-0)
ubuntu/14.10/usr.bin.totem (+0/-7)
To merge this branch: bzr merge lp:~intrigeri/apparmor-profiles/gstreamer-abstraction
Reviewer Review Type Date Requested Status
AppArmor Developers Pending
Review via email: mp+228398@code.launchpad.net

Description of the change

OK, apparently it's easier for you folks to review stuff proposed on lp than submitted to the mailing-list, so... here we go :)

To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :
Download full text (3.9 KiB)

On Sat, Jul 26, 2014 at 03:09:23PM -0000, intrigeri wrote:
> OK, apparently it's easier for you folks to review stuff proposed on lp than submitted to the mailing-list, so... here we go :)

> https://code.launchpad.net/~intrigeri/apparmor-profiles/gstreamer-abstraction/+merge/228398

Sorry. Maybe it's just harder to lose track of...

This looks like a good cleanup to me. It does seem a bit strange that
/usr/bin/totem brings in a totem abstraction which then brings in the
gstreamer abstraction. And I don't understand why pkcs11 support is
included in any of these (but that's not new, I've never understood why
it's included.)

So while I don't want to block this on figuring out the totem abstraction
I do wonder if we want/need it, and wonder why we've got the p11-kit
abstraction included here.

Thanks

> === added file 'ubuntu/14.10/abstractions/gstreamer'
> --- ubuntu/14.10/abstractions/gstreamer 1970-01-01 00:00:00 +0000
> +++ ubuntu/14.10/abstractions/gstreamer 2014-07-26 15:08:59 +0000
> @@ -0,0 +1,15 @@
> +# vim:syntax=apparmor
> +
> + #include <abstractions/p11-kit>
> +
> + /etc/udev/udev.conf r,
> +
> + # /dev/shm is a symlink to /run/shm on ubuntu
> + owner /{dev,run}/shm/shmfd-* rw,
> +
> + /run/udev/data/+pci:* r,
> +
> + /sys/devices/pci[0-9]*/**/{busnum,devnum,descriptors,speed,uevent} r,
> +
> + owner /tmp/orcexec.* mrw,
> + owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
>
> === modified file 'ubuntu/14.10/abstractions/totem'
> --- ubuntu/14.10/abstractions/totem 2014-07-22 15:26:03 +0000
> +++ ubuntu/14.10/abstractions/totem 2014-07-26 15:08:59 +0000
> @@ -16,9 +16,9 @@
> # a maintenance problem and doesn't work for files without extensions.
>
> #include <abstractions/gnome>
> + #include <abstractions/gstreamer>
> #include <abstractions/nameservice>
> #include <abstractions/dbus-session>
> - #include <abstractions/p11-kit>
>
> # Allow read on all directories
> /**/ r,
> @@ -28,14 +28,7 @@
> /usr/share/** r,
> /{media,mnt,opt,srv}/** r,
>
> - owner /tmp/orcexec.* m,
> -
> - /etc/wildmidi/wildmidi.cfg r,
> -
> - /usr/lib/@{multiarch}/libproxy/*/modules/*.so mr,
> - /usr/lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so m,
> - /usr/lib/frei0r-[0-9]/*.so m,
> - /usr/lib/@{multiarch}/gstreamer[0-9].[0-9]/gstreamer-[0-9].[0-9]/gst-plugin-scanner Pix,
> + /usr/lib/@{multiarch}/gstreamer[0-9].[0-9]/gstreamer-[0-9].[0-9]/gst-plugin-scanner Cix -> gst_plugin_scanner,
>
> owner @{HOME}/.cache/tracker/meta.db k,
> owner @{HOME}/.cache/tracker/meta.db-shm k,
>
> === added file 'ubuntu/14.10/gst_plugin_scanner'
> --- ubuntu/14.10/gst_plugin_scanner 1970-01-01 00:00:00 +0000
> +++ ubuntu/14.10/gst_plugin_scanner 2014-07-26 15:08:59 +0000
> @@ -0,0 +1,21 @@
> +# vim:syntax=apparmor
> +
> +profile gst_plugin_scanner {
> + #include <abstractions/base>
> + #include <abstractions/gstreamer>
> + #include <abstractions/X>
> +
> + /dev/ r,
> + /dev/bus/usb/ r,
> +
> + /sys/bus/ r,
> + /sys/bus/usb/devices/ r,
> + /sys/class/ r,
> +
> + /etc/wildmidi/wildmidi.cfg r,
> +
> + /usr/lib/frei0r-[0-9]/*.so m,
> + # /usr/lib/@{multiarch}/dri/** mr,
> + /usr/lib/@{multiarch}/libproxy/*/modules/*.so m...

Read more...

Revision history for this message
intrigeri (intrigeri) wrote :

Hi,

Seth Arnold wrote (28 Jul 2014 03:45:39 GMT) :
> This looks like a good cleanup to me.

Thank you.

> It does seem a bit strange that /usr/bin/totem brings in a totem
> abstraction which then brings in the gstreamer abstraction.

Would you prefer it if usr.bin.totem{,-previewers} both pulled the
gstreamer abstraction themselves?

> And I don't understand why pkcs11 support is included in any of
> these (but that's not new, I've never understood why it's included.)

ldd tells me that /usr/bin/totem is linked against libp11-kit.so.0,
for whatever reason. Not looked at the source.

> So while I don't want to block this on figuring out the totem abstraction
> I do wonder if we want/need it, [...]

Do you mean we might not need the totem abstraction at all? I think
it's useful because two profiles (namely: usr.bin.totem{,-previewers})
need common rules. But perhaps I'm missing something?

Cheers!

Revision history for this message
Cameron Norman (cameronnemo) wrote :

Regarding the p11kit stuff, I have been working on profiles for a number of gtk3 applications recently and they have all needed it. Maybe it is something in glib that uses it?

Revision history for this message
intrigeri (intrigeri) wrote :

Ping?

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added file 'ubuntu/14.10/abstractions/gstreamer'
2--- ubuntu/14.10/abstractions/gstreamer 1970-01-01 00:00:00 +0000
3+++ ubuntu/14.10/abstractions/gstreamer 2014-07-26 15:08:59 +0000
4@@ -0,0 +1,15 @@
5+# vim:syntax=apparmor
6+
7+ #include <abstractions/p11-kit>
8+
9+ /etc/udev/udev.conf r,
10+
11+ # /dev/shm is a symlink to /run/shm on ubuntu
12+ owner /{dev,run}/shm/shmfd-* rw,
13+
14+ /run/udev/data/+pci:* r,
15+
16+ /sys/devices/pci[0-9]*/**/{busnum,devnum,descriptors,speed,uevent} r,
17+
18+ owner /tmp/orcexec.* mrw,
19+ owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
20
21=== modified file 'ubuntu/14.10/abstractions/totem'
22--- ubuntu/14.10/abstractions/totem 2014-07-22 15:26:03 +0000
23+++ ubuntu/14.10/abstractions/totem 2014-07-26 15:08:59 +0000
24@@ -16,9 +16,9 @@
25 # a maintenance problem and doesn't work for files without extensions.
26
27 #include <abstractions/gnome>
28+ #include <abstractions/gstreamer>
29 #include <abstractions/nameservice>
30 #include <abstractions/dbus-session>
31- #include <abstractions/p11-kit>
32
33 # Allow read on all directories
34 /**/ r,
35@@ -28,14 +28,7 @@
36 /usr/share/** r,
37 /{media,mnt,opt,srv}/** r,
38
39- owner /tmp/orcexec.* m,
40-
41- /etc/wildmidi/wildmidi.cfg r,
42-
43- /usr/lib/@{multiarch}/libproxy/*/modules/*.so mr,
44- /usr/lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so m,
45- /usr/lib/frei0r-[0-9]/*.so m,
46- /usr/lib/@{multiarch}/gstreamer[0-9].[0-9]/gstreamer-[0-9].[0-9]/gst-plugin-scanner Pix,
47+ /usr/lib/@{multiarch}/gstreamer[0-9].[0-9]/gstreamer-[0-9].[0-9]/gst-plugin-scanner Cix -> gst_plugin_scanner,
48
49 owner @{HOME}/.cache/tracker/meta.db k,
50 owner @{HOME}/.cache/tracker/meta.db-shm k,
51
52=== added file 'ubuntu/14.10/gst_plugin_scanner'
53--- ubuntu/14.10/gst_plugin_scanner 1970-01-01 00:00:00 +0000
54+++ ubuntu/14.10/gst_plugin_scanner 2014-07-26 15:08:59 +0000
55@@ -0,0 +1,21 @@
56+# vim:syntax=apparmor
57+
58+profile gst_plugin_scanner {
59+ #include <abstractions/base>
60+ #include <abstractions/gstreamer>
61+ #include <abstractions/X>
62+
63+ /dev/ r,
64+ /dev/bus/usb/ r,
65+
66+ /sys/bus/ r,
67+ /sys/bus/usb/devices/ r,
68+ /sys/class/ r,
69+
70+ /etc/wildmidi/wildmidi.cfg r,
71+
72+ /usr/lib/frei0r-[0-9]/*.so m,
73+ # /usr/lib/@{multiarch}/dri/** mr,
74+ /usr/lib/@{multiarch}/libproxy/*/modules/*.so mr,
75+ /usr/lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so m,
76+}
77
78=== modified file 'ubuntu/14.10/usr.bin.totem'
79--- ubuntu/14.10/usr.bin.totem 2014-07-22 15:26:33 +0000
80+++ ubuntu/14.10/usr.bin.totem 2014-07-26 15:08:59 +0000
81@@ -9,13 +9,6 @@
82 #include <abstractions/python>
83 #include <abstractions/totem>
84
85- /etc/udev/udev.conf r,
86- /sys/devices/pci[0-9]*/**/{busnum,devnum,descriptors,speed,uevent} r,
87- /run/udev/data/+pci:* r,
88-
89- # /dev/shm is a symlink to /run/shm on ubuntu
90- owner /{dev,run}/shm/shmfd-* rw,
91-
92 # Maybe in an abstraction?
93 /usr/include/**/pyconfig.h r,
94

Subscribers

People subscribed via source and target branches

to status/vote changes: