ofono

Merge lp:~jdstrand/ofono/ofono-lp1296415 into lp:~phablet-team/ofono/ubuntu

  1. ofono-lp1296415
  2. Merge into ubuntu
Proposed by Jamie Strandboge
Status: Rejected
Rejected by: Jamie Strandboge
Proposed branch: lp:~jdstrand/ofono/ofono-lp1296415
Merge into: lp:~phablet-team/ofono/ubuntu
Diff against target: 114 lines (+67/-1)
6 files modified
debian/control (+2/-1)
debian/ofono.dirs (+1/-0)
debian/ofono.install (+1/-0)
debian/ofono.upstart (+4/-0)
debian/rules (+4/-0)
debian/usr.sbin.ofonod (+55/-0)
To merge this branch: bzr merge lp:~jdstrand/ofono/ofono-lp1296415
Reviewer Review Type Date Requested Status
PS Jenkins bot continuous-integration Approve
Ubuntu Phablet Team Pending
Review via email: mp+224373@code.launchpad.net

Commit message

  * add lenient AppArmor profile to restrict DBus connections with ofono to
    specific services (LP: #1296415)
    - add debian/usr.sbin.ofonod
    - debian/control: Build-Depends on dh-apparmor
    - debian/rules: update override_dh_installdeb to use dh_apparmor
    - debian/ofono.dirs: add etc/apparmor.d
    - debian/ofono.install: install profile in to place
    - debian/ofono.upstart: update to load AppArmor profile

Description of the change

  * add lenient AppArmor profile to restrict DBus connections with ofono to
    specific services (LP: #1296415)
    - add debian/usr.sbin.ofonod
    - debian/control: Build-Depends on dh-apparmor
    - debian/rules: update override_dh_installdeb to use dh_apparmor
    - debian/ofono.dirs: add etc/apparmor.d
    - debian/ofono.install: install profile in to place
    - debian/ofono.upstart: update to load AppArmor profile

To post a comment you must log in.
Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

PASSED: Continuous integration, rev:6869
http://jenkins.qa.ubuntu.com/job/phablet-team-ofono-ubuntu-ci/53/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/phablet-team-ofono-ubuntu-utopic-amd64-ci/10
    SUCCESS: http://jenkins.qa.ubuntu.com/job/phablet-team-ofono-ubuntu-utopic-armhf-ci/7
        deb: http://jenkins.qa.ubuntu.com/job/phablet-team-ofono-ubuntu-utopic-armhf-ci/7/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/phablet-team-ofono-ubuntu-utopic-i386-ci/7

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/phablet-team-ofono-ubuntu-ci/53/rebuild

review: Approve (continuous-integration)
lp:~jdstrand/ofono/ofono-lp1296415 updated
6870. By Jamie Strandboge

debian/usr.sbin.ofonod: more closely mimic unconfined with exec transitions

Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

PASSED: Continuous integration, rev:6870
http://jenkins.qa.ubuntu.com/job/phablet-team-ofono-ubuntu-ci/54/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/phablet-team-ofono-ubuntu-utopic-amd64-ci/11
    SUCCESS: http://jenkins.qa.ubuntu.com/job/phablet-team-ofono-ubuntu-utopic-armhf-ci/8
        deb: http://jenkins.qa.ubuntu.com/job/phablet-team-ofono-ubuntu-utopic-armhf-ci/8/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/phablet-team-ofono-ubuntu-utopic-i386-ci/8

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/phablet-team-ofono-ubuntu-ci/54/rebuild

review: Approve (continuous-integration)

Unmerged revisions

6870. By Jamie Strandboge

debian/usr.sbin.ofonod: more closely mimic unconfined with exec transitions

6869. By Jamie Strandboge

debian/usr.sbin.ofonod: remove unused and unneeded rild peer

6868. By Jamie Strandboge

 * add lenient AppArmor profile to restrict DBus connections with ofono to
   specific services (LP: #1296415)
   - add debian/usr.sbin.ofonod
   - debian/control: Build-Depends on dh-apparmor
   - debian/rules: update override_dh_installdeb to use dh_apparmor
   - debian/ofono.dirs: add etc/apparmor.d
   - debian/ofono.install: install profile in to place
   - debian/ofono.upstart: update to load AppArmor profile

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/control'
2--- debian/control 2014-05-29 12:15:34 +0000
3+++ debian/control 2014-06-24 22:22:27 +0000
4@@ -12,7 +12,8 @@
5 libudev-dev,
6 udev,
7 libbluetooth-dev (>= 4.30),
8- mobile-broadband-provider-info
9+ mobile-broadband-provider-info,
10+ dh-apparmor
11 Standards-Version: 3.9.4
12 Homepage: http://www.ofono.org/
13 # If you aren't a member of ~phablet-team but need to upload
14
15=== modified file 'debian/ofono.dirs'
16--- debian/ofono.dirs 2013-10-02 15:34:41 +0000
17+++ debian/ofono.dirs 2014-06-24 22:22:27 +0000
18@@ -1,1 +1,2 @@
19 /var/lib/ofono
20+/etc/apparmor.d
21
22=== modified file 'debian/ofono.install'
23--- debian/ofono.install 2013-10-02 15:34:41 +0000
24+++ debian/ofono.install 2014-06-24 22:22:27 +0000
25@@ -4,3 +4,4 @@
26 debian/tmp/etc/ofono
27 debian/tmp/lib/udev/rules.d/*
28 debian/tmp/usr/share/man
29+debian/usr.sbin.ofonod etc/apparmor.d
30
31=== modified file 'debian/ofono.upstart'
32--- debian/ofono.upstart 2013-10-02 15:34:41 +0000
33+++ debian/ofono.upstart 2014-06-24 22:22:27 +0000
34@@ -6,4 +6,8 @@
35 expect fork
36 respawn
37
38+pre-start script
39+ /lib/init/apparmor-profile-load usr.sbin.ofonod
40+end script
41+
42 exec ofonod -P ril
43
44=== modified file 'debian/rules'
45--- debian/rules 2013-12-23 18:38:54 +0000
46+++ debian/rules 2014-06-24 22:22:27 +0000
47@@ -23,3 +23,7 @@
48
49 override_dh_strip:
50 dh_strip --dbg-package=ofono-dbg
51+
52+override_dh_installdeb:
53+ dh_apparmor --profile-name=usr.sbin.ofonod -pofono
54+ dh_installdeb
55
56=== added file 'debian/usr.sbin.ofonod'
57--- debian/usr.sbin.ofonod 1970-01-01 00:00:00 +0000
58+++ debian/usr.sbin.ofonod 2014-06-24 22:22:27 +0000
59@@ -0,0 +1,55 @@
60+#include <tunables/global>
61+
62+# Permissive profile limit dbus access
63+/usr/sbin/ofonod (attach_disconnected) {
64+ capability,
65+ mount,
66+ remount,
67+ umount,
68+ network,
69+
70+ / rwkl,
71+ /** rwlkm,
72+ /** pix,
73+
74+ # We can do anything on dbus
75+ dbus (bind, send),
76+
77+ # Some methods are ok by anyone (ie, dbus-daemon itself)
78+ dbus (receive)
79+ bus=system
80+ interface="org.freedesktop.DBus.Properties",
81+
82+ # Limit who can connect on DBus to these (LP: #1296415)
83+ dbus (receive) peer=(label=/usr/lib/*/indicator-network/indicator-network-service),
84+ dbus (receive) peer=(label=/usr/sbin/NetworkManager),
85+ dbus (receive) peer=(label=/etc/NetworkManager/dispatcher.d/03mmsproxy),
86+ dbus (receive) peer=(label=/usr/bin/nuntium),
87+ dbus (receive) peer=(label=/usr/bin/ubuntu-download-manager),
88+ dbus (receive) peer=(label=/usr/bin/powerd),
89+ dbus (receive) peer=(label=/usr/bin/system-settings),
90+ dbus (receive) peer=(label=/usr/lib/*/urfkill/urfkilld),
91+ dbus (receive) peer=(label=/usr/lib/telepathy/telepathy-ofono),
92+ dbus (receive) peer=(label=ofono_scripts),
93+
94+ # Allow some ptrace, but don't allow others to ptrace us
95+ ptrace (read, readby, trace),
96+
97+ # We have to let all signals through, since 'init' is unconfined
98+ signal,
99+}
100+
101+profile ofono_scripts /usr/share/ofono/scripts/* (attach_disconnected) {
102+ capability,
103+ mount,
104+ remount,
105+ umount,
106+ network,
107+ dbus,
108+ ptrace,
109+ signal,
110+
111+ / rwkl,
112+ /** rwlkm,
113+ /** pix,
114+}

Subscribers

People subscribed via source and target branches