Thumbnailer

Merge lp:~jamesh/thumbnailer/use-aa-query-label into lp:thumbnailer/devel

use-aa-query-label
Merge into devel

Proposed by James Henstridge on 2015-06-16

Status:

Merged

Approved by:

Michi Henning on 2015-06-17

Approved revision:

226

Merged at revision:

218

Proposed branch:

lp:~jamesh/thumbnailer/use-aa-query-label

Merge into:

lp:thumbnailer/devel

Diff against target:

1060 lines (+321/-200)

22 files modified

CMakeLists.txt (+1/-0)
include/internal/check_access.h (+42/-0)
include/internal/thumbnailer.h (+4/-1)
plugins/Ubuntu/Thumbnailer.0.1/CMakeLists.txt (+0/-1)
plugins/Ubuntu/Thumbnailer.0.1/thumbnailgenerator.cpp (+1/-15)
src/CMakeLists.txt (+2/-0)
src/check_access.cpp (+83/-0)
src/service/CMakeLists.txt (+1/-3)
src/service/dbusinterface.cpp (+1/-2)
src/service/dbusinterface.h (+0/-1)
src/service/dbusinterface.xml (+1/-2)
src/service/handler.cpp (+1/-1)
src/thumbnailer-admin/get_local_thumbnail.cpp (+1/-13)
src/thumbnailer.cpp (+41/-26)
tests/CMakeLists.txt (+1/-0)
tests/check_access/CMakeLists.txt (+3/-0)
tests/check_access/check_access_test.cpp (+64/-0)
tests/dbus/dbus_test.cpp (+5/-42)
tests/qml/tst_albumart.qml (+4/-12)
tests/testsetup.h.in (+1/-1)
tests/thumbnailer-admin/thumbnailer-admin_test.cpp (+2/-2)
tests/thumbnailer/thumbnailer_test.cpp (+62/-78)

To merge this branch:

bzr merge lp:~jamesh/thumbnailer/use-aa-query-label

Related bugs:

Bug #1381713: Support policy query interface for file	Undecided	Fix Released
Bug #1464068: Out of file descriptors	Undecided	Fix Released

Link a bug report

Reviewer	Review Type	Date Requested	Status
PS Jenkins bot (community)	continuous-integration		Approve on 2015-06-17
Michi Henning (community)		2015-06-16	Approve on 2015-06-17
Review via email: mp+262060@code.launchpad.net

Commit message

Remove the filename_fd argument to the GetThumbnail() D-Bus method, instead using aa_query_label() to check whether the caller has access to the relevant file.

Description of the change

Update the GetThumbnail dbus method to remove the filename_fd argument. Instead, use aa_query_label() to check whether the client has access to the target file.

We were already canonicalising the path, so shouldn't have trouble getting tricked by symlinks.

I'll provide some more concrete ways to test this on the phone once I've got ARM binaries.

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2015-06-16:

FAILED: Continuous integration, rev:222
No commit message was specified in the merge proposal. Click on the following link and set the commit message (if you want a jenkins rebuild you need to trigger it yourself):
https://code.launchpad.net/~jamesh/thumbnailer/use-aa-query-label/+merge/262060/+edit-commit-message

http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-ci/285/
Executed test runs:
    FAILURE: http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-wily-amd64-ci/94/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-wily-armhf-ci/96/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-wily-i386-ci/94/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/thumbnailer-devel-ci/285/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2015-06-16:

FAILED: Continuous integration, rev:223
No commit message was specified in the merge proposal. Click on the following link and set the commit message (if you want a jenkins rebuild you need to trigger it yourself):
https://code.launchpad.net/~jamesh/thumbnailer/use-aa-query-label/+merge/262060/+edit-commit-message

http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-ci/286/
Executed test runs:
    FAILURE: http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-wily-amd64-ci/95/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-wily-armhf-ci/97/console
    FAILURE: http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-wily-i386-ci/95/console

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/thumbnailer-devel-ci/286/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2015-06-17:

FAILED: Continuous integration, rev:224
No commit message was specified in the merge proposal. Click on the following link and set the commit message (if you want a jenkins rebuild you need to trigger it yourself):
https://code.launchpad.net/~jamesh/thumbnailer/use-aa-query-label/+merge/262060/+edit-commit-message

http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-ci/287/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-wily-amd64-ci/96
    SUCCESS: http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-wily-armhf-ci/98
        deb: http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-wily-armhf-ci/98/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-wily-i386-ci/96

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/thumbnailer-devel-ci/287/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

James Henstridge (jamesh) wrote on 2015-06-17:

Here is the steps I went to test this on the phone after installing it:

1. run "sudo aa-status" to find the list of profiles installed on the system. I looked for the label for the gallery app, which in this case was "com.ubuntu.gallery_gallery_2.9.1.1183"

2. Copy an image to ~/.local/share/com.ubuntu.music (or any other app-specific directory).

3. Change to ~/.local/share/com.ubuntu.gallery (a directory the profile from (1) could write to).

4. Run the following command (adjusting for exact label name):

aa-exec -p com.ubuntu.gallery_gallery_2.9.1.1183 thumbnailer-admin get \
~/.local/share/com.ubuntu.music/image.jpg .

I then received the following error message:

thumbnailer-admin: checkFinished(): thumbnail: /home/phablet/.local/share/com.ubuntu.music/image20150602_014415108.jpg (0,0): unity::ResourceException: RequestBase::thumbnail(): key = /home/phablet/.local/share/com.ubuntu.music/image20150602_014415108.jpg\0145638\01434511100.933353751\01434511100.933353751:
LocalThumbnailRequest::fetch(): AppArmor policy forbids access to /home/phablet/.local/share/com.ubuntu.music/image20150602_014415108.jpg

(plus a bunch of output complaining that it couldn't write to .gcda files, since this was a coverage build).

Revision history for this message

Michi Henning (michihenning) wrote on 2015-06-17:

Beautiful!

review: Approve

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2015-06-17:

FAILED: Autolanding.
No commit message was specified in the merge proposal. Hit 'Add commit message' on the merge proposal web page or follow the link below. You can approve the merge proposal yourself to rerun.
https://code.launchpad.net/~jamesh/thumbnailer/use-aa-query-label/+merge/262060/+edit-commit-message

review: Needs Fixing (continuous-integration)

lp:~jamesh/thumbnailer/use-aa-query-label updated on 2015-06-17

225. By James Henstridge on 2015-06-17: Add some more debug logging.

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2015-06-17:

FAILED: Continuous integration, rev:225
No commit message was specified in the merge proposal. Click on the following link and set the commit message (if you want a jenkins rebuild you need to trigger it yourself):
https://code.launchpad.net/~jamesh/thumbnailer/use-aa-query-label/+merge/262060/+edit-commit-message

http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-ci/289/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-wily-amd64-ci/98
    SUCCESS: http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-wily-armhf-ci/100
        deb: http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-wily-armhf-ci/100/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-wily-i386-ci/98

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/thumbnailer-devel-ci/289/rebuild

review: Needs Fixing (continuous-integration)

lp:~jamesh/thumbnailer/use-aa-query-label updated on 2015-06-17

226. By James Henstridge on 2015-06-17: Remove the extra nul byte at the end of the buffer passed to
aa_query_label() -- this causes the check to fail for AppArmor labels
other than "unconfined".

Revision history for this message

PS Jenkins bot (ps-jenkins) wrote on 2015-06-17:

FAILED: Continuous integration, rev:226
No commit message was specified in the merge proposal. Click on the following link and set the commit message (if you want a jenkins rebuild you need to trigger it yourself):
https://code.launchpad.net/~jamesh/thumbnailer/use-aa-query-label/+merge/262060/+edit-commit-message

http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-ci/290/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-wily-amd64-ci/99
    SUCCESS: http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-wily-armhf-ci/101
        deb: http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-wily-armhf-ci/101/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/thumbnailer-devel-wily-i386-ci/99

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/thumbnailer-devel-ci/290/rebuild

review: Needs Fixing (continuous-integration)

Revision history for this message

Michi Henning (michihenning) wrote on 2015-06-17:

Excellent, thank you!

review: Approve

Revision history for this message

PS Jenkins bot (ps-jenkins) on 2015-06-17:

review: Approve (continuous-integration)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

James Henstridge

Unity Team

 === modified file 'CMakeLists.txt'
 --- CMakeLists.txt	2015-06-12 04:38:11 +0000
 +++ CMakeLists.txt	2015-06-17 06:15:32 +0000
@@ -104,6 +104,7 @@
  include_directories(${GIO_DEPS_INCLUDE_DIRS})
  include_directories(${IMG_DEPS_INCLUDE_DIRS})
  include_directories(${UNITY_API_DEPS_INCLUDE_DIRS})
++include_directories(${APPARMOR_DEPS_INCLUDE_DIRS})
  include_directories(include)
  include_directories(${CMAKE_CURRENT_BINARY_DIR}/include)
 === added file 'include/internal/check_access.h'
 --- include/internal/check_access.h	1970-01-01 00:00:00 +0000
 +++ include/internal/check_access.h	2015-06-17 06:15:32 +0000
@@ -0,0 +1,42 @@
++/*
++ * Copyright (C) 2015 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 3 as
++ * published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: James Henstridge <james.henstridge@canonical.com>
++ */
++
++#pragma once
++
++#include <string>
++
++namespace unity
++{
++
++namespace thumbnailer
++{
++
++namespace internal
++{
++
++// Returns true if the given AppArmor profile can read the given path.
++// Note that if path is a symlink, the check will be against the
++// symlink path rather than the symlink target.
++bool apparmor_can_read(std::string const& apparmor_label,
++                       std::string const& path);
++
++}  // namespace internal
++
++}  // namespace thumbnailer
++
++}  // namespace unity
 === modified file 'include/internal/thumbnailer.h'
 --- include/internal/thumbnailer.h	2015-06-08 06:03:00 +0000
 +++ include/internal/thumbnailer.h	2015-06-17 06:15:32 +0000
@@ -72,6 +72,10 @@
      virtual FetchStatus status() const = 0;
      virtual std::string const& key() const = 0;
++
++    // Set the credentials of the caller.
++    virtual void set_client_credentials(uid_t user, std::string const& apparmor_label) = 0;
++
  Q_SIGNALS:
      void downloadFinished();
  };
@@ -103,7 +107,6 @@
       * If the thumbnail could not be generated, an empty string is returned.
       */
      std::unique_ptr<ThumbnailRequest> get_thumbnail(std::string const& filename,
--                                                    int filename_fd,
                                                      QSize const& requested_size);
      /**
 === modified file 'plugins/Ubuntu/Thumbnailer.0.1/CMakeLists.txt'
 --- plugins/Ubuntu/Thumbnailer.0.1/CMakeLists.txt	2015-06-08 01:34:57 +0000
 +++ plugins/Ubuntu/Thumbnailer.0.1/CMakeLists.txt	2015-06-17 06:15:32 +0000
@@ -10,7 +10,6 @@
    albumartgenerator.cpp
    artgeneratorcommon.cpp
    artistartgenerator.cpp
--  ${CMAKE_SOURCE_DIR}/src/safe_strerror.cpp
    plugin.cpp
    thumbnailerimageresponse.cpp
    thumbnailgenerator.cpp
 === modified file 'plugins/Ubuntu/Thumbnailer.0.1/thumbnailgenerator.cpp'
 --- plugins/Ubuntu/Thumbnailer.0.1/thumbnailgenerator.cpp	2015-06-11 10:21:50 +0000
 +++ plugins/Ubuntu/Thumbnailer.0.1/thumbnailgenerator.cpp	2015-06-17 06:15:32 +0000
@@ -22,11 +22,6 @@
  #include <service/dbus_names.h>
  #include "thumbnailerimageresponse.h"
--#include <internal/safe_strerror.h>
--
--#include <fcntl.h>
--#include <unistd.h>
--
  namespace
+ {
@@ -77,15 +72,6 @@
       * cases we don't want to do that for performance reasons, so this
       * is the only way around the issue for now. */
      QString src_path = QUrl(id).path();
--    int fd = open(src_path.toUtf8().constData(), O_RDONLY | O_CLOEXEC);
--    if (fd < 0)
--    {
--        qDebug() << "ThumbnailGenerator::requestImageResponse(): cannot open " + src_path + ": " +
--                    QString::fromStdString(internal::safe_strerror(errno));
--        return new ThumbnailerImageResponse(requestedSize, default_image_based_on_mime(id));
--    }
--    QDBusUnixFileDescriptor unix_fd(fd);
--    close(fd);
      if (!connection)
+     {
@@ -95,7 +81,7 @@
          iface.reset(new ThumbnailerInterface(service::BUS_NAME, service::THUMBNAILER_BUS_PATH, *connection));
+     }
--    auto reply = iface->GetThumbnail(src_path, unix_fd, requestedSize);
++    auto reply = iface->GetThumbnail(src_path, requestedSize);
      std::unique_ptr<QDBusPendingCallWatcher> watcher(
          new QDBusPendingCallWatcher(reply));
      return new ThumbnailerImageResponse(requestedSize, default_image_based_on_mime(id), std::move(watcher));
 === modified file 'src/CMakeLists.txt'
 --- src/CMakeLists.txt	2015-06-11 09:34:31 +0000
 +++ src/CMakeLists.txt	2015-06-17 06:15:32 +0000
@@ -13,6 +13,7 @@
  add_library(thumbnailer STATIC
      artdownloader.cpp
++    check_access.cpp
      file_io.cpp
      image.cpp
      imageextractor.cpp
@@ -40,6 +41,7 @@
      ${GIO_DEPS_LDFLAGS}
      ${IMG_DEPS_LDFLAGS}
      ${UNITY_API_DEPS_LDFLAGS}
++    ${APPARMOR_DEPS_LDFLAGS}
+ )
  add_subdirectory(service)
 === added file 'src/check_access.cpp'
 --- src/check_access.cpp	1970-01-01 00:00:00 +0000
 +++ src/check_access.cpp	2015-06-17 06:15:32 +0000
@@ -0,0 +1,83 @@
++/*
++ * Copyright (C) 2015 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 3 as
++ * published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: James Henstridge <james.henstridge@canonical.com>
++ */
++
++#include <internal/check_access.h>
++#include <internal/safe_strerror.h>
++
++#include <errno.h>
++#include <stdexcept>
++#include <sys/apparmor.h>
++
++using namespace std;
++
++namespace
++{
++
++enum class Access
++{
++    write = 1,
++    read = 2
++};
++
++char const AA_CLASS_FILE = 2;
++
++bool query_file(Access access, string const& label, string const& path)
++{
++    static bool enabled = aa_is_enabled();
++    if (!enabled)
++    {
++        // If AppArmor is not enabled, assume access is granted.
++        return true;
++    }
++
++    string query(AA_QUERY_CMD_LABEL, AA_QUERY_CMD_LABEL_SIZE);
++    query += label;
++    query += '\0';
++    query += AA_CLASS_FILE;
++    query += path;
++
++    int allowed = 0, audited = 0;
++    if (aa_query_label(static_cast<uint32_t>(access), const_cast<char*>(query.data()), query.size(), &allowed, &audited) < 0)
++    {
++        using namespace unity::thumbnailer::internal;
++        throw runtime_error("query_file(): Could not query AppArmor access: " + safe_strerror(errno));
++    }
++    return allowed;
++}
++
++}
++
++namespace unity
++{
++
++namespace thumbnailer
++{
++
++namespace internal
++{
++
++bool apparmor_can_read(string const& apparmor_label, string const& path)
++{
++    return query_file(Access::read, apparmor_label, path);
++}
++
++}  // namespace internal
++
++}  // namespace thumbnailer
++
++}  // namespace unity
 === modified file 'src/service/CMakeLists.txt'
 --- src/service/CMakeLists.txt	2015-06-12 04:38:11 +0000
 +++ src/service/CMakeLists.txt	2015-06-17 06:15:32 +0000
@@ -1,5 +1,3 @@
--add_definitions(${APPARMOR_DEPS_CFLAGS})
--
  qt5_add_dbus_adaptor(adaptor_files dbusinterface.xml dbusinterface.h unity::thumbnailer::service::DBusInterface)
  qt5_add_dbus_adaptor(adaptor_files admininterface.xml admininterface.h unity::thumbnailer::service::AdminInterface)
@@ -21,7 +19,7 @@
+   )
  qt5_use_modules(thumbnailer-service DBus Concurrent)
--target_link_libraries(thumbnailer-service thumbnailer ${CMAKE_THREAD_LIBS_INIT} ${APPARMOR_DEPS_LDFLAGS})
++target_link_libraries(thumbnailer-service thumbnailer)
  set_target_properties(thumbnailer-service PROPERTIES AUTOMOC TRUE)
  add_dependencies(thumbnailer-service vs-thumb)
 === modified file 'src/service/dbusinterface.cpp'
 --- src/service/dbusinterface.cpp	2015-06-15 03:51:27 +0000
 +++ src/service/dbusinterface.cpp	2015-06-17 06:15:32 +0000
@@ -114,7 +114,6 @@
+ }
  QDBusUnixFileDescriptor DBusInterface::GetThumbnail(QString const& filename,
--                                                    QDBusUnixFileDescriptor const& filename_fd,
                                                      QSize const& requestedSize)
+ {
      std::unique_ptr<ThumbnailRequest> request;
@@ -124,7 +123,7 @@
          QString details;
          QTextStream s(&details);
          s << "thumbnail: " << filename << " (" << requestedSize.width() << "," << requestedSize.height() << ")";
--        auto request = thumbnailer_->get_thumbnail(filename.toStdString(), filename_fd.fileDescriptor(), requestedSize);
++        auto request = thumbnailer_->get_thumbnail(filename.toStdString(), requestedSize);
          queueRequest(new Handler(connection(), message(),
                                   check_thread_pool_, create_thread_pool_,
                                   extraction_limiter_, credentials(),
 === modified file 'src/service/dbusinterface.h'
 --- src/service/dbusinterface.h	2015-06-12 06:49:20 +0000
 +++ src/service/dbusinterface.h	2015-06-17 06:15:32 +0000
@@ -52,7 +52,6 @@
      QDBusUnixFileDescriptor GetAlbumArt(QString const& artist, QString const& album, QSize const& requestedSize);
      QDBusUnixFileDescriptor GetArtistArt(QString const& artist, QString const& album, QSize const& requestedSize);
      QDBusUnixFileDescriptor GetThumbnail(QString const& filename,
--                                         QDBusUnixFileDescriptor const& filename_fd,
                                           QSize const& requestedSize);
  private:
 === modified file 'src/service/dbusinterface.xml'
 --- src/service/dbusinterface.xml	2015-05-20 00:58:20 +0000
 +++ src/service/dbusinterface.xml	2015-06-17 06:15:32 +0000
@@ -18,10 +18,9 @@
      </method>
      <method name="GetThumbnail">
        <arg direction="in" type="s" name="filename" />
--      <arg direction="in" type="h" name="filename_fd" />
        <arg direction="in" type="(ii)" name="requestedSize" />
        <arg direction="out" type="h" name="fd" />
--      <annotation name="org.qtproject.QtDBus.QtTypeName.In2" value="QSize" />
++      <annotation name="org.qtproject.QtDBus.QtTypeName.In1" value="QSize" />
        <annotation name="org.gtk.GDBus.C.UnixFD" value="true" />
      </method>
    </interface>
 === modified file 'src/service/handler.cpp'
 --- src/service/handler.cpp	2015-06-15 04:16:34 +0000
 +++ src/service/handler.cpp	2015-06-17 06:15:32 +0000
@@ -201,7 +201,7 @@
          sendError("gotCredentials(): " + details() + ": could not retrieve peer credentials");
          return;
+     }
--    qDebug() << "Peer" << p->message.service() << "has uid =" << credentials.user << "label =" << QString::fromStdString(credentials.label);
++    p->request->set_client_credentials(credentials.user, credentials.label);
      auto do_check = [this]() -> FdOrError
+     {
 === modified file 'src/thumbnailer-admin/get_local_thumbnail.cpp'
 --- src/thumbnailer-admin/get_local_thumbnail.cpp	2015-06-03 22:24:53 +0000
 +++ src/thumbnailer-admin/get_local_thumbnail.cpp	2015-06-17 06:15:32 +0000
@@ -20,7 +20,6 @@
  #include "parse_size.h"
  #include <internal/file_io.h>
--#include <internal/raii.h>
  #include <internal/safe_strerror.h>
  #include "util.h"
@@ -90,18 +89,7 @@
+ {
      try
+     {
--        QDBusUnixFileDescriptor ufd;
--        {
--            FdPtr fd(do_close);
--            fd.reset(open(input_path_.toUtf8().data(), O_RDONLY));
--            if (fd.get() == -1)
--            {
--                throw QString("GetLocalThumbnail::run(): cannot open ") + input_path_ + ": " +
--                    QString::fromStdString(safe_strerror(errno));
--            }
--            ufd.setFileDescriptor(fd.get());
--        }
--        auto reply = conn.thumbnailer().GetThumbnail(input_path_, ufd, size_);
++        auto reply = conn.thumbnailer().GetThumbnail(input_path_, size_);
          reply.waitForFinished();
          if (!reply.isValid())
+         {
 === modified file 'src/thumbnailer.cpp'
 --- src/thumbnailer.cpp	2015-06-11 09:34:31 +0000
 +++ src/thumbnailer.cpp	2015-06-17 06:15:32 +0000
@@ -21,6 +21,7 @@
  #include <internal/thumbnailer.h>
  #include <internal/artreply.h>
++#include <internal/check_access.h>
  #include <internal/image.h>
  #include <internal/imageextractor.h>
  #include <internal/make_directories.h>
@@ -76,6 +77,11 @@
+     {
          return key_;
+     }
++    void set_client_credentials(uid_t user, std::string const& label) override
++    {
++        client_user_ = user;
++        client_apparmor_label_ = label;
++    }
      enum class CachePolicy
+     {
          cache_fullsize,
@@ -138,6 +144,8 @@
      string key_;
      QSize const requested_size_;
      chrono::milliseconds timeout_;
++    uid_t client_user_ = 0;
++    string client_apparmor_label_;
  private:
      FetchStatus status_;
@@ -152,7 +160,6 @@
  public:
      LocalThumbnailRequest(Thumbnailer* thumbnailer,
                            string const& filename,
--                          int filename_fd,
                            QSize const& requested_size,
                            chrono::milliseconds timeout);
@@ -371,36 +378,24 @@
  LocalThumbnailRequest::LocalThumbnailRequest(Thumbnailer* thumbnailer,
                                               string const& filename,
--                                             int filename_fd,
                                               QSize const& requested_size,
                                               chrono::milliseconds timeout)
      : RequestBase(thumbnailer, "", requested_size, timeout)
      , filename_(filename)
      , fd_(-1, do_close)
+ {
++    // We canonicalise the path name both to avoid caching the file
++    // multiple times, and to ensure our access checks are against the
++    // real file rather than a symlink.
      filename_ = boost::filesystem::canonical(filename).native();
--    fd_.reset(open(filename_.c_str(), O_RDONLY | O_CLOEXEC));
--    if (fd_.get() < 0)
--    {
--        // LCOV_EXCL_START
--        throw runtime_error("LocalThumbnailRequest(): Could not open " + filename_ + ": " + safe_strerror(errno));
--        // LCOV_EXCL_STOP
--    }
--    struct stat our_stat, client_stat;
--    if (fstat(fd_.get(), &our_stat) < 0)
++
++    struct stat st;
++    if (stat(filename_.c_str(), &st) < 0)
+     {
          // LCOV_EXCL_START
          throw runtime_error("LocalThumbnailRequest(): Could not stat " + filename_ + ": " + safe_strerror(errno));
          // LCOV_EXCL_STOP
+     }
--    if (fstat(filename_fd, &client_stat) < 0)
--    {
--        throw runtime_error("LocalThumbnailRequest(): Could not stat file descriptor: " + safe_strerror(errno));
--    }
--    if (our_stat.st_dev != client_stat.st_dev || our_stat.st_ino != client_stat.st_ino)
--    {
--        throw runtime_error("LocalThumbnailRequest(): file descriptor does not refer to file " + filename_);
--    }
      // The full cache key for the file is the concatenation of path
      // name, inode, modification time, and inode modification time
@@ -413,11 +408,11 @@
      // due to file removal or file update are rare).
      key_ = filename_;
      key_ += '\0';
--    key_ += to_string(our_stat.st_ino);
--    key_ += '\0';
--    key_ += to_string(our_stat.st_mtim.tv_sec) + "." + to_string(our_stat.st_mtim.tv_nsec);
--    key_ += '\0';
--    key_ += to_string(our_stat.st_ctim.tv_sec) + "." + to_string(our_stat.st_ctim.tv_nsec);
++    key_ += to_string(st.st_ino);
++    key_ += '\0';
++    key_ += to_string(st.st_mtim.tv_sec) + "." + to_string(st.st_mtim.tv_nsec);
++    key_ += '\0';
++    key_ += to_string(st.st_ctim.tv_sec) + "." + to_string(st.st_ctim.tv_nsec);
+ }
  RequestBase::ImageData LocalThumbnailRequest::fetch(QSize const& size_hint)
@@ -428,6 +423,19 @@
          return ImageData(Image(image_extractor_->data()), CachePolicy::cache_fullsize, Location::local);
+     }
++    if (client_user_ != geteuid())
++    {
++        // LCOV_EXCL_START
++        throw runtime_error("LocalThumbnailRequest::fetch(): Request comes from a different user ID");
++        // LCOV_EXCL_STOP
++    }
++    if (!apparmor_can_read(client_apparmor_label_, filename_)) {
++        // LCOV_EXCL_START
++        qDebug() << "Apparmor label" << QString::fromStdString(client_apparmor_label_) << "has no access to" << QString::fromStdString(filename_);
++        throw runtime_error("LocalThumbnailRequest::fetch(): AppArmor policy forbids access to " + filename_);
++        // LCOV_EXCL_STOP
++    }
++
      // Work out content type.
      gobj_ptr<GFile> file(g_file_new_for_path(filename_.c_str()));
      assert(file);  // Cannot fail according to doc.
@@ -447,6 +455,14 @@
          return ImageData(FetchStatus::error, Location::local);  // LCOV_EXCL_LINE
+     }
++    fd_.reset(open(filename_.c_str(), O_RDONLY | O_CLOEXEC));
++    if (fd_.get() < 0)
++    {
++        // LCOV_EXCL_START
++        throw runtime_error("LocalThumbnailRequest(): Could not open " + filename_ + ": " + safe_strerror(errno));
++        // LCOV_EXCL_STOP
++    }
++
      // Call the appropriate image extractor and return the image data as JPEG (not scaled).
      // We indicate that full-size images are to be cached only for audio and video files,
      // for which extraction is expensive. For local images, we don't cache full size.
@@ -621,7 +637,6 @@
  Thumbnailer::~Thumbnailer() = default;
  unique_ptr<ThumbnailRequest> Thumbnailer::get_thumbnail(string const& filename,
--                                                        int filename_fd,
                                                          QSize const& requested_size)
+ {
      assert(!filename.empty());
@@ -629,7 +644,7 @@
      try
+     {
          return unique_ptr<ThumbnailRequest>(
--                new LocalThumbnailRequest(this, filename, filename_fd, requested_size, extraction_timeout_));
++                new LocalThumbnailRequest(this, filename, requested_size, extraction_timeout_));
+     }
      catch (std::exception const&)
+     {
 === modified file 'tests/CMakeLists.txt'
 --- tests/CMakeLists.txt	2015-06-06 08:23:29 +0000
 +++ tests/CMakeLists.txt	2015-06-17 06:15:32 +0000
@@ -8,6 +8,7 @@
  add_subdirectory(utils)
  set(unit_test_dirs
++    check_access
      dbus
      download
      file_io
 === added directory 'tests/check_access'
 === added file 'tests/check_access/CMakeLists.txt'
 --- tests/check_access/CMakeLists.txt	1970-01-01 00:00:00 +0000
 +++ tests/check_access/CMakeLists.txt	2015-06-17 06:15:32 +0000
@@ -0,0 +1,3 @@
++add_executable(check_access_test check_access_test.cpp)
++target_link_libraries(check_access_test thumbnailer gtest)
++add_test(check_access check_access_test)
 === added file 'tests/check_access/check_access_test.cpp'
 --- tests/check_access/check_access_test.cpp	1970-01-01 00:00:00 +0000
 +++ tests/check_access/check_access_test.cpp	2015-06-17 06:15:32 +0000
@@ -0,0 +1,64 @@
++/*
++ * Copyright (C) 2015 Canonical Ltd.
++ *
++ * This program is free software: you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License version 3 as
++ * published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ * Authored by: James Henstridge <james.henstridge@canonical.com>
++ */
++
++#include <internal/check_access.h>
++
++#include <gtest/gtest.h>
++#include <testsetup.h>
++
++#include <cstdio>
++#include <errno.h>
++#include <stdexcept>
++#include <sys/apparmor.h>
++
++using namespace std;
++using namespace unity::thumbnailer::internal;
++
++TEST(check_acess, unconfined)
++{
++    if (!aa_is_enabled()) {
++        printf("AppArmor is disabled\n");
++        return;
++    }
++
++    EXPECT_TRUE(apparmor_can_read("unconfined", "/etc/passwd"));
++}
++
++TEST(check_access, confined) {
++    if (!aa_is_enabled()) {
++        printf("AppArmor is disabled\n");
++        return;
++    }
++
++    // We can't load new profiles into the kernel from the tests, so
++    // try one of the base system profiles that is probably loaded.
++    try
++    {
++        EXPECT_FALSE(apparmor_can_read("/sbin/dhclient", "/etc/passwd"));
++    }
++    catch (std::runtime_error const&) {
++        EXPECT_EQ(ENOENT, errno);
++        printf("Test AppArmor label not loaded in kernel\n");
++    }
++}
++
++int main(int argc, char** argv)
++{
++    ::testing::InitGoogleTest(&argc, argv);
++    return RUN_ALL_TESTS();
++}
 === modified file 'tests/dbus/dbus_test.cpp'
 --- tests/dbus/dbus_test.cpp	2015-06-08 03:59:53 +0000
 +++ tests/dbus/dbus_test.cpp	2015-06-17 06:15:32 +0000
@@ -125,12 +125,8 @@
  TEST_F(DBusTest, thumbnail_image)
+ {
      const char* filename = TESTDATADIR "/testimage.jpg";
--    FdPtr fd(open(filename, O_RDONLY), do_close);
--    ASSERT_GE(fd.get(), 0);
--
      QDBusReply<QDBusUnixFileDescriptor> reply =
--        dbus_->thumbnailer_->GetThumbnail(
--            filename, QDBusUnixFileDescriptor(fd.get()), QSize(256, 256));
++        dbus_->thumbnailer_->GetThumbnail(filename, QSize(256, 256));
      assert_no_error(reply);
      Image image(reply.value().fileDescriptor());
@@ -144,12 +140,8 @@
      for (int i = 0; i < 2; ++i)
+     {
          const char* filename = TESTDATADIR "/testsong.ogg";
--        FdPtr fd(open(filename, O_RDONLY), do_close);
--        ASSERT_GE(fd.get(), 0);
--
          QDBusReply<QDBusUnixFileDescriptor> reply =
--            dbus_->thumbnailer_->GetThumbnail(
--                filename, QDBusUnixFileDescriptor(fd.get()), QSize(256, 256));
++            dbus_->thumbnailer_->GetThumbnail(filename, QSize(256, 256));
          assert_no_error(reply);
          Image image(reply.value().fileDescriptor());
@@ -164,12 +156,8 @@
      for (int i = 0; i < 2; ++i)
+     {
          const char* filename = TESTDATADIR "/testvideo.ogg";
--        FdPtr fd(open(filename, O_RDONLY), do_close);
--        ASSERT_GE(fd.get(), 0);
--
          QDBusReply<QDBusUnixFileDescriptor> reply =
--            dbus_->thumbnailer_->GetThumbnail(
--                filename, QDBusUnixFileDescriptor(fd.get()), QSize(256, 256));
++            dbus_->thumbnailer_->GetThumbnail(filename, QSize(256, 256));
          assert_no_error(reply);
          Image image(reply.value().fileDescriptor());
@@ -181,35 +169,13 @@
  TEST_F(DBusTest, thumbnail_no_such_file)
+ {
      const char* no_such_file = TESTDATADIR "/no-such-file.jpg";
--    const char* filename2 = TESTDATADIR "/testrotate.jpg";
--
--    FdPtr fd(open(filename2, O_RDONLY), do_close);
--    ASSERT_GE(fd.get(), 0);
--
      QDBusReply<QDBusUnixFileDescriptor> reply =
--        dbus_->thumbnailer_->GetThumbnail(
--            no_such_file, QDBusUnixFileDescriptor(fd.get()), QSize(256, 256));
++        dbus_->thumbnailer_->GetThumbnail(no_such_file, QSize(256, 256));
      EXPECT_FALSE(reply.isValid());
      auto message = reply.error().message().toStdString();
      EXPECT_TRUE(boost::contains(message, " No such file or directory: ")) << message;
+ }
--TEST_F(DBusTest, thumbnail_wrong_fd_fails)
--{
--    const char* filename1 = TESTDATADIR "/testimage.jpg";
--    const char* filename2 = TESTDATADIR "/testrotate.jpg";
--
--    FdPtr fd(open(filename2, O_RDONLY), do_close);
--    ASSERT_GE(fd.get(), 0);
--
--    QDBusReply<QDBusUnixFileDescriptor> reply =
--        dbus_->thumbnailer_->GetThumbnail(
--            filename1, QDBusUnixFileDescriptor(fd.get()), QSize(256, 256));
--    EXPECT_FALSE(reply.isValid());
--    auto message = reply.error().message().toStdString();
--    EXPECT_TRUE(boost::contains(message, " file descriptor does not refer to file ")) << message;
--}
--
  TEST_F(DBusTest, duplicate_requests)
+ {
      int const N_REQUESTS = 10;
@@ -264,16 +230,13 @@
+ {
      // basic setup to the query
      const char* filename = TESTDATADIR "/testimage.jpg";
--    FdPtr fd(open(filename, O_RDONLY), do_close);
--    ASSERT_GE(fd.get(), 0);
      QSignalSpy spy_exit(&dbus_->service_process(),
                          static_cast<void (QProcess::*)(int, QProcess::ExitStatus)>(&QProcess::finished));
      // start a query
      QDBusReply<QDBusUnixFileDescriptor> reply =
--        dbus_->thumbnailer_->GetThumbnail(
--            filename, QDBusUnixFileDescriptor(fd.get()), QSize(256, 256));
++        dbus_->thumbnailer_->GetThumbnail(filename, QSize(256, 256));
      assert_no_error(reply);
      // wait for 5 seconds... (default)
 === modified file 'tests/qml/tst_albumart.qml'
 --- tests/qml/tst_albumart.qml	2015-06-01 06:19:23 +0000
 +++ tests/qml/tst_albumart.qml	2015-06-17 06:15:32 +0000
@@ -23,22 +23,14 @@
      function test_artistart_not_found() {
          loadArtistArt("beck2", "odelay")
--        compare(size.width, 640);
--        compare(size.height, 480);
--        comparePixel(0, 0, "#FE0000");
--        comparePixel(639, 0, "#FFFF00");
--        comparePixel(0, 479, "#0000FE");
--        comparePixel(639, 479, "#00FF01");
++        compare(size.width, 96);
++        compare(size.height, 96);
+     }
      function test_albumart_not_found() {
          loadAlbumArt("beck2", "odelay")
--        compare(size.width, 640);
--        compare(size.height, 480);
--        comparePixel(0, 0, "#FE0000");
--        comparePixel(639, 0, "#FFFF00");
--        comparePixel(0, 479, "#0000FE");
--        comparePixel(639, 479, "#00FF01");
++        compare(size.width, 96);
++        compare(size.height, 96);
+     }
      function test_bad_artist_art_url() {
 === modified file 'tests/testsetup.h.in'
 --- tests/testsetup.h.in	2015-06-01 04:12:08 +0000
 +++ tests/testsetup.h.in	2015-06-17 06:15:32 +0000
@@ -27,6 +27,6 @@
  #define THUMBNAILER_SERVICE "@CMAKE_BINARY_DIR@/src/service/thumbnailer-service"
  #define FAKE_ART_SERVER "@CMAKE_CURRENT_SOURCE_DIR@/server/server.py"
--#define THUMBNAILER_TEST_DEFAULT_IMAGE "@CMAKE_CURRENT_SOURCE_DIR@/media/orientation-8.jpg"
++#define THUMBNAILER_TEST_DEFAULT_IMAGE "@CMAKE_SOURCE_DIR@/data/album_missing.png"
  #define THUMBNAILER_ADMIN "@CMAKE_BINARY_DIR@/src/thumbnailer-admin/thumbnailer-admin"
 === modified file 'tests/thumbnailer-admin/thumbnailer-admin_test.cpp'
 --- tests/thumbnailer-admin/thumbnailer-admin_test.cpp	2015-06-08 03:25:50 +0000
 +++ tests/thumbnailer-admin/thumbnailer-admin_test.cpp	2015-06-17 06:15:32 +0000
@@ -471,8 +471,8 @@
      AdminRunner ar;
      EXPECT_EQ(1, ar.run(QStringList{"get", "no_such_file"}));
--    EXPECT_EQ("thumbnailer-admin: GetLocalThumbnail::run(): cannot open no_such_file: No such file or directory\n",
--              ar.stderr())
++    EXPECT_TRUE(starts_with(ar.stderr(),
++                            "thumbnailer-admin: DBusInterface::GetThumbnail(): no_such_file: unity::ResourceException: Thumbnailer::get_thumbnail():\n    boost::filesystem::canonical: No such file or directory:"))
          << ar.stderr();
      EXPECT_EQ(1, ar.run(QStringList{"get", TESTDATADIR "/orientation-2.jpg", "no_such_directory"}));
 === modified file 'tests/thumbnailer/thumbnailer_test.cpp'
 --- tests/thumbnailer/thumbnailer_test.cpp	2015-06-10 12:30:59 +0000
 +++ tests/thumbnailer/thumbnailer_test.cpp	2015-06-17 06:15:32 +0000
@@ -91,19 +91,20 @@
      std::unique_ptr<ThumbnailRequest> request;
      string thumb;
      Image img;
--    FdPtr fd(-1, do_close);
--    fd.reset(open(EMPTY_IMAGE, O_RDONLY));
--    thumb = tn.get_thumbnail(EMPTY_IMAGE, fd.get(), QSize())->thumbnail();
++    request = tn.get_thumbnail(EMPTY_IMAGE, QSize());
++    request->set_client_credentials(geteuid(), "unconfined");
++    thumb = request->thumbnail();
      EXPECT_EQ("", thumb);
      // Again, this time we get the answer from the failure cache.
--    fd.reset(open(EMPTY_IMAGE, O_RDONLY));
--    thumb = tn.get_thumbnail(EMPTY_IMAGE, fd.get(), QSize())->thumbnail();
++    request = tn.get_thumbnail(EMPTY_IMAGE, QSize());
++    request->set_client_credentials(geteuid(), "unconfined");
++    thumb = request->thumbnail();
      EXPECT_EQ("", thumb);
--    fd.reset(open(TEST_IMAGE, O_RDONLY));
--    request = tn.get_thumbnail(TEST_IMAGE, fd.get(), QSize());
++    request = tn.get_thumbnail(TEST_IMAGE, QSize());
++    request->set_client_credentials(geteuid(), "unconfined");
      EXPECT_TRUE(boost::starts_with(request->key(), TEST_IMAGE)) << request->key();
      thumb = request->thumbnail();
      img = Image(thumb);
@@ -111,30 +112,40 @@
      EXPECT_EQ(480, img.height());
      // Again, for coverage. This time the thumbnail comes from the cache.
--    thumb = tn.get_thumbnail(TEST_IMAGE, fd.get(), QSize())->thumbnail();
++    request = tn.get_thumbnail(TEST_IMAGE, QSize());
++    request->set_client_credentials(geteuid(), "unconfined");
++    thumb = request->thumbnail();
      img = Image(thumb);
      EXPECT_EQ(640, img.width());
      EXPECT_EQ(480, img.height());
--    thumb = tn.get_thumbnail(TEST_IMAGE, fd.get(), QSize(160, 160))->thumbnail();
++    request = tn.get_thumbnail(TEST_IMAGE, QSize(160, 160));
++    request->set_client_credentials(geteuid(), "unconfined");
++    thumb = request->thumbnail();
      img = Image(thumb);
      EXPECT_EQ(160, img.width());
      EXPECT_EQ(120, img.height());
--    thumb = tn.get_thumbnail(TEST_IMAGE, fd.get(), QSize(1000, 1000))->thumbnail();  // Will not up-scale
++    request = tn.get_thumbnail(TEST_IMAGE, QSize(1000, 1000));  // Will not up-scale
++    request->set_client_credentials(geteuid(), "unconfined");
++    thumb = request->thumbnail();
      img = Image(thumb);
      EXPECT_EQ(640, img.width());
      EXPECT_EQ(480, img.height());
--    thumb = tn.get_thumbnail(TEST_IMAGE, fd.get(), QSize(100, 100))->thumbnail();  // From EXIF data
++    request = tn.get_thumbnail(TEST_IMAGE, QSize(100, 100));  // From EXIF data
++    request->set_client_credentials(geteuid(), "unconfined");
++    thumb = request->thumbnail();
      img = Image(thumb);
      EXPECT_EQ(100, img.width());
      EXPECT_EQ(75, img.height());
--    fd.reset(open(BAD_IMAGE, O_RDONLY));
      try
+     {
--        tn.get_thumbnail(BAD_IMAGE, fd.get(), QSize())->thumbnail();
++        request = tn.get_thumbnail(BAD_IMAGE, QSize());
++        request->set_client_credentials(geteuid(), "unconfined");
++        request->thumbnail();
++        FAIL();
+     }
      catch (std::exception const& e)
+     {
@@ -142,20 +153,23 @@
          EXPECT_TRUE(boost::starts_with(msg, "unity::ResourceException: RequestBase::thumbnail(): key = ")) << msg;
+     }
--    fd.reset(open(RGB_IMAGE, O_RDONLY));
--    thumb = tn.get_thumbnail(RGB_IMAGE, fd.get(), QSize(48, 48))->thumbnail();
++    request = tn.get_thumbnail(RGB_IMAGE, QSize(48, 48));
++    request->set_client_credentials(geteuid(), "unconfined");
++    thumb = request->thumbnail();
      img = Image(thumb);
      EXPECT_EQ(48, img.width());
      EXPECT_EQ(48, img.height());
--    fd.reset(open(BIG_IMAGE, O_RDONLY));
--    thumb = tn.get_thumbnail(BIG_IMAGE, fd.get(), QSize())->thumbnail();  // > 1920, so will be trimmed down
++    request = tn.get_thumbnail(BIG_IMAGE, QSize());  // > 1920, so will be trimmed down
++    request->set_client_credentials(geteuid(), "unconfined");
++    thumb = request->thumbnail();
      img = Image(thumb);
      EXPECT_EQ(1920, img.width());
      EXPECT_EQ(1439, img.height());
--    thumb =
--        tn.get_thumbnail(BIG_IMAGE, fd.get(), QSize(0, 0))->thumbnail();  // unconstrained, so will not be trimmed down
++    request = tn.get_thumbnail(BIG_IMAGE, QSize(0, 0));  // unconstrained, so will not be trimmed down
++    request->set_client_credentials(geteuid(), "unconfined");
++    thumb = request->thumbnail();
      img = Image(thumb);
      EXPECT_EQ(2731, img.width());
      EXPECT_EQ(2048, img.height());
@@ -184,9 +198,9 @@
+     {
+         {
              // Load a song so we have something in the full-size and thumbnail caches.
--            FdPtr fd(open(TEST_SONG, O_RDONLY), do_close);
--            auto request = tn.get_thumbnail(TEST_SONG, fd.get(), QSize());
++            auto request = tn.get_thumbnail(TEST_SONG, QSize());
              ASSERT_NE(nullptr, request.get());
++            request->set_client_credentials(geteuid(), "unconfined");
              // Audio thumbnails cannot be produced immediately
              ASSERT_EQ("", request->thumbnail());
@@ -202,32 +216,32 @@
+         {
              // Load same song again at different size, so we get a hit on full-size cache.
--            FdPtr fd(open(TEST_SONG, O_RDONLY), do_close);
--            auto request = tn.get_thumbnail(TEST_SONG, fd.get(), QSize(20, 20));
++            auto request = tn.get_thumbnail(TEST_SONG, QSize(20, 20));
              ASSERT_NE(nullptr, request.get());
++            request->set_client_credentials(geteuid(), "unconfined");
              ASSERT_NE("", request->thumbnail());
+         }
+         {
              // Load same song again at same size, so we get a hit on thumbnail cache.
--            FdPtr fd(open(TEST_SONG, O_RDONLY), do_close);
--            auto request = tn.get_thumbnail(TEST_SONG, fd.get(), QSize(20, 20));
++            auto request = tn.get_thumbnail(TEST_SONG, QSize(20, 20));
              ASSERT_NE(nullptr, request.get());
++            request->set_client_credentials(geteuid(), "unconfined");
              ASSERT_NE("", request->thumbnail());
+         }
+         {
              // Load an empty image, so we have something in the failure cache.
--            FdPtr fd(open(EMPTY_IMAGE, O_RDONLY), do_close);
--            string thumb = tn.get_thumbnail(EMPTY_IMAGE, fd.get(), QSize())->thumbnail();
--            EXPECT_EQ("", thumb);
++            auto request = tn.get_thumbnail(EMPTY_IMAGE, QSize());
++            request->set_client_credentials(geteuid(), "unconfined");
++            EXPECT_EQ("", request->thumbnail());
+         }
+         {
              // Load empty image again, so we get a hit on failure cache.
--            FdPtr fd(open(EMPTY_IMAGE, O_RDONLY), do_close);
--            string thumb = tn.get_thumbnail(EMPTY_IMAGE, fd.get(), QSize())->thumbnail();
--            EXPECT_EQ("", thumb);
++            auto request = tn.get_thumbnail(EMPTY_IMAGE, QSize());
++            request->set_client_credentials(geteuid(), "unconfined");
++            EXPECT_EQ("", request->thumbnail());
+         }
      };
@@ -313,50 +327,20 @@
      EXPECT_EQ(0, stats.failure_stats.hits());
+ }
--TEST_F(ThumbnailerTest, bad_fd)
--{
--    Thumbnailer tn;
--
--    // Invalid file descriptor
--    try
--    {
--        tn.get_thumbnail(TEST_IMAGE, -1, QSize());
--    }
--    catch (std::exception const& e)
--    {
--        string msg = e.what();
--        EXPECT_TRUE(boost::contains(msg, ": Could not stat file descriptor:")) << msg;
--    }
--
--    // File descriptor for wrong file
--    FdPtr fd(open(TEST_VIDEO, O_RDONLY), do_close);
--    try
--    {
--        tn.get_thumbnail(TEST_IMAGE, fd.get(), QSize());
--    }
--    catch (std::exception const& e)
--    {
--        string msg = e.what();
--        EXPECT_TRUE(boost::contains(msg, ": file descriptor does not refer to file ")) << msg;
--    }
--}
--
--TEST_F(ThumbnailerTest, replace_photo)
++TEST_F(ThumbnailerTest, DISABLED_replace_photo)
+ {
      string testfile = tempdir_path() + "/foo.jpg";
      ASSERT_EQ(0, link(TEST_IMAGE, testfile.c_str()));
      Thumbnailer tn;
--    FdPtr fd(open(testfile.c_str(), O_RDONLY), do_close);
--    auto request = tn.get_thumbnail(testfile, fd.get(), QSize());
--    // The client FD isn't needed any more, so close it.
--    fd.reset(-1);
++    auto request = tn.get_thumbnail(testfile, QSize());
      // Replace test image with a different file with different
      // dimensions so we can tell which one is thumbnailed.
      ASSERT_EQ(0, unlink(testfile.c_str()));
      ASSERT_EQ(0, link(BIG_IMAGE, testfile.c_str()));
++    request->set_client_credentials(geteuid(), "unconfined");
      string data = request->thumbnail();
      Image img(data);
      EXPECT_EQ(640, img.width());
@@ -366,9 +350,9 @@
  TEST_F(ThumbnailerTest, thumbnail_video)
+ {
      Thumbnailer tn;
--    FdPtr fd(open(TEST_VIDEO, O_RDONLY), do_close);
--    auto request = tn.get_thumbnail(TEST_VIDEO, fd.get(), QSize());
++    auto request = tn.get_thumbnail(TEST_VIDEO, QSize());
      ASSERT_NE(nullptr, request.get());
++    request->set_client_credentials(geteuid(), "unconfined");
      // Video thumbnails cannot be produced immediately
      ASSERT_EQ("", request->thumbnail());
@@ -386,7 +370,8 @@
+     {
          // Fetch the thumbnail again with the same size.
          // That causes it to come from the thumbnail cache.
--        auto request = tn.get_thumbnail(TEST_VIDEO, fd.get(), QSize());
++        auto request = tn.get_thumbnail(TEST_VIDEO, QSize());
++        request->set_client_credentials(geteuid(), "unconfined");
          string thumb = request->thumbnail();
          ASSERT_NE("", thumb);
          Image img(thumb);
@@ -397,7 +382,8 @@
+     {
          // Fetch the thumbnail again with a different size.
          // That causes it to be scaled from the thumbnail cache.
--        auto request = tn.get_thumbnail(TEST_VIDEO, fd.get(), QSize(500, 500));
++        auto request = tn.get_thumbnail(TEST_VIDEO, QSize(500, 500));
++        request->set_client_credentials(geteuid(), "unconfined");
          string thumb = request->thumbnail();
          ASSERT_NE("", thumb);
          Image img(thumb);
@@ -412,17 +398,15 @@
      ASSERT_EQ(0, link(TEST_VIDEO, testfile.c_str())) << strerror(errno);
      Thumbnailer tn;
--    FdPtr fd(open(testfile.c_str(), O_RDONLY | O_CLOEXEC), do_close);
--    auto request = tn.get_thumbnail(testfile, fd.get(), QSize());
--    // The client FD isn't needed any more, so close it.
--    fd.reset(-1);
++    auto request = tn.get_thumbnail(testfile, QSize());
++    request->set_client_credentials(geteuid(), "unconfined");
++    ASSERT_EQ("", request->thumbnail());
      // Replace test image with a different file with different
      // dimensions so we can tell which one is thumbnailed.
      ASSERT_EQ(0, unlink(testfile.c_str()));
      ASSERT_EQ(0, link(BIG_IMAGE, testfile.c_str()));
--    ASSERT_EQ("", request->thumbnail());
      QSignalSpy spy(request.get(), &ThumbnailRequest::downloadFinished);
      request->download(chrono::milliseconds(15000));
      ASSERT_TRUE(spy.wait(20000));
@@ -436,9 +420,9 @@
  TEST_F(ThumbnailerTest, thumbnail_song)
+ {
      Thumbnailer tn;
--    FdPtr fd(open(TEST_SONG, O_RDONLY), do_close);
--    auto request = tn.get_thumbnail(TEST_SONG, fd.get(), QSize());
++    auto request = tn.get_thumbnail(TEST_SONG, QSize());
      ASSERT_NE(nullptr, request.get());
++    request->set_client_credentials(geteuid(), "unconfined");
      // Audio thumbnails cannot be produced immediately
      ASSERT_EQ("", request->thumbnail());
@@ -482,8 +466,8 @@
          setenv("TN_UTILDIR", "no_such_directory", true);
--        FdPtr fd(open(TEST_SONG, O_RDONLY), do_close);
--        auto request = tn.get_thumbnail(TEST_SONG, fd.get(), QSize());
++        auto request = tn.get_thumbnail(TEST_SONG, QSize());
++        request->set_client_credentials(geteuid(), "unconfined");
          EXPECT_EQ("", request->thumbnail());
          QSignalSpy spy(request.get(), &ThumbnailRequest::downloadFinished);
@@ -615,7 +599,7 @@
      try
+     {
--        auto request = tn.get_thumbnail("no_such_file", -1, QSize());
++        auto request = tn.get_thumbnail("no_such_file", QSize());
          FAIL();
+     }
      catch (unity::ResourceException const& e)