Merge lp:~jdstrand/ofono/ofono-lp1296415 into lp:~phablet-team/ofono/ubuntu

Proposed by Jamie Strandboge on 2014-06-24
Status: Rejected
Rejected by: Jamie Strandboge on 2014-07-17
Proposed branch: lp:~jdstrand/ofono/ofono-lp1296415
Merge into: lp:~phablet-team/ofono/ubuntu
Diff against target: 114 lines (+67/-1)
6 files modified
debian/control (+2/-1)
debian/ofono.dirs (+1/-0)
debian/ofono.install (+1/-0)
debian/ofono.upstart (+4/-0)
debian/rules (+4/-0)
debian/usr.sbin.ofonod (+55/-0)
To merge this branch: bzr merge lp:~jdstrand/ofono/ofono-lp1296415
Reviewer Review Type Date Requested Status
PS Jenkins bot continuous-integration Approve on 2014-06-24
Ubuntu Phablet Team 2014-06-24 Pending
Review via email: mp+224373@code.launchpad.net

Commit message

  * add lenient AppArmor profile to restrict DBus connections with ofono to
    specific services (LP: #1296415)
    - add debian/usr.sbin.ofonod
    - debian/control: Build-Depends on dh-apparmor
    - debian/rules: update override_dh_installdeb to use dh_apparmor
    - debian/ofono.dirs: add etc/apparmor.d
    - debian/ofono.install: install profile in to place
    - debian/ofono.upstart: update to load AppArmor profile

Description of the change

  * add lenient AppArmor profile to restrict DBus connections with ofono to
    specific services (LP: #1296415)
    - add debian/usr.sbin.ofonod
    - debian/control: Build-Depends on dh-apparmor
    - debian/rules: update override_dh_installdeb to use dh_apparmor
    - debian/ofono.dirs: add etc/apparmor.d
    - debian/ofono.install: install profile in to place
    - debian/ofono.upstart: update to load AppArmor profile

To post a comment you must log in.
lp:~jdstrand/ofono/ofono-lp1296415 updated on 2014-06-24
6870. By Jamie Strandboge on 2014-06-24

debian/usr.sbin.ofonod: more closely mimic unconfined with exec transitions

Unmerged revisions

6870. By Jamie Strandboge on 2014-06-24

debian/usr.sbin.ofonod: more closely mimic unconfined with exec transitions

6869. By Jamie Strandboge on 2014-06-24

debian/usr.sbin.ofonod: remove unused and unneeded rild peer

6868. By Jamie Strandboge on 2014-06-24

 * add lenient AppArmor profile to restrict DBus connections with ofono to
   specific services (LP: #1296415)
   - add debian/usr.sbin.ofonod
   - debian/control: Build-Depends on dh-apparmor
   - debian/rules: update override_dh_installdeb to use dh_apparmor
   - debian/ofono.dirs: add etc/apparmor.d
   - debian/ofono.install: install profile in to place
   - debian/ofono.upstart: update to load AppArmor profile

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'debian/control'
--- debian/control 2014-05-29 12:15:34 +0000
+++ debian/control 2014-06-24 22:22:27 +0000
@@ -12,7 +12,8 @@
12 libudev-dev,12 libudev-dev,
13 udev,13 udev,
14 libbluetooth-dev (>= 4.30),14 libbluetooth-dev (>= 4.30),
15 mobile-broadband-provider-info15 mobile-broadband-provider-info,
16 dh-apparmor
16Standards-Version: 3.9.417Standards-Version: 3.9.4
17Homepage: http://www.ofono.org/18Homepage: http://www.ofono.org/
18# If you aren't a member of ~phablet-team but need to upload19# If you aren't a member of ~phablet-team but need to upload
1920
=== modified file 'debian/ofono.dirs'
--- debian/ofono.dirs 2013-10-02 15:34:41 +0000
+++ debian/ofono.dirs 2014-06-24 22:22:27 +0000
@@ -1,1 +1,2 @@
1/var/lib/ofono1/var/lib/ofono
2/etc/apparmor.d
23
=== modified file 'debian/ofono.install'
--- debian/ofono.install 2013-10-02 15:34:41 +0000
+++ debian/ofono.install 2014-06-24 22:22:27 +0000
@@ -4,3 +4,4 @@
4debian/tmp/etc/ofono4debian/tmp/etc/ofono
5debian/tmp/lib/udev/rules.d/*5debian/tmp/lib/udev/rules.d/*
6debian/tmp/usr/share/man6debian/tmp/usr/share/man
7debian/usr.sbin.ofonod etc/apparmor.d
78
=== modified file 'debian/ofono.upstart'
--- debian/ofono.upstart 2013-10-02 15:34:41 +0000
+++ debian/ofono.upstart 2014-06-24 22:22:27 +0000
@@ -6,4 +6,8 @@
6expect fork6expect fork
7respawn7respawn
88
9pre-start script
10 /lib/init/apparmor-profile-load usr.sbin.ofonod
11end script
12
9exec ofonod -P ril13exec ofonod -P ril
1014
=== modified file 'debian/rules'
--- debian/rules 2013-12-23 18:38:54 +0000
+++ debian/rules 2014-06-24 22:22:27 +0000
@@ -23,3 +23,7 @@
2323
24override_dh_strip:24override_dh_strip:
25 dh_strip --dbg-package=ofono-dbg25 dh_strip --dbg-package=ofono-dbg
26
27override_dh_installdeb:
28 dh_apparmor --profile-name=usr.sbin.ofonod -pofono
29 dh_installdeb
2630
=== added file 'debian/usr.sbin.ofonod'
--- debian/usr.sbin.ofonod 1970-01-01 00:00:00 +0000
+++ debian/usr.sbin.ofonod 2014-06-24 22:22:27 +0000
@@ -0,0 +1,55 @@
1#include <tunables/global>
2
3# Permissive profile limit dbus access
4/usr/sbin/ofonod (attach_disconnected) {
5 capability,
6 mount,
7 remount,
8 umount,
9 network,
10
11 / rwkl,
12 /** rwlkm,
13 /** pix,
14
15 # We can do anything on dbus
16 dbus (bind, send),
17
18 # Some methods are ok by anyone (ie, dbus-daemon itself)
19 dbus (receive)
20 bus=system
21 interface="org.freedesktop.DBus.Properties",
22
23 # Limit who can connect on DBus to these (LP: #1296415)
24 dbus (receive) peer=(label=/usr/lib/*/indicator-network/indicator-network-service),
25 dbus (receive) peer=(label=/usr/sbin/NetworkManager),
26 dbus (receive) peer=(label=/etc/NetworkManager/dispatcher.d/03mmsproxy),
27 dbus (receive) peer=(label=/usr/bin/nuntium),
28 dbus (receive) peer=(label=/usr/bin/ubuntu-download-manager),
29 dbus (receive) peer=(label=/usr/bin/powerd),
30 dbus (receive) peer=(label=/usr/bin/system-settings),
31 dbus (receive) peer=(label=/usr/lib/*/urfkill/urfkilld),
32 dbus (receive) peer=(label=/usr/lib/telepathy/telepathy-ofono),
33 dbus (receive) peer=(label=ofono_scripts),
34
35 # Allow some ptrace, but don't allow others to ptrace us
36 ptrace (read, readby, trace),
37
38 # We have to let all signals through, since 'init' is unconfined
39 signal,
40}
41
42profile ofono_scripts /usr/share/ofono/scripts/* (attach_disconnected) {
43 capability,
44 mount,
45 remount,
46 umount,
47 network,
48 dbus,
49 ptrace,
50 signal,
51
52 / rwkl,
53 /** rwlkm,
54 /** pix,
55}

Subscribers

People subscribed via source and target branches