snap-confine

Merge lp:~jdstrand/snap-confine/ubuntu-core-launcher.aa-profile into lp:~snappy-dev/snap-confine/trunk

  1. ubuntu-core-launcher.aa-profile
  2. Merge into trunk
Proposed by Jamie Strandboge
Status: Merged
Merged at revision: 46
Proposed branch: lp:~jdstrand/snap-confine/ubuntu-core-launcher.aa-profile
Merge into: lp:~snappy-dev/snap-confine/trunk
Diff against target: 119 lines (+63/-4)
6 files modified
debian/changelog (+6/-0)
debian/control (+2/-2)
debian/dirs (+2/-1)
debian/install (+1/-0)
debian/rules (+4/-1)
debian/usr.bin.ubuntu-core-launcher (+48/-0)
To merge this branch: bzr merge lp:~jdstrand/snap-confine/ubuntu-core-launcher.aa-profile
Reviewer Review Type Date Requested Status
Snappy Developers Pending
Review via email: mp+256992@code.launchpad.net

Commit message

add apparmor profile for ubuntu-core-launcher

Description of the change

add apparmor profile for ubuntu-core-launcher

To post a comment you must log in.
lp:~jdstrand/snap-confine/ubuntu-core-launcher.aa-profile updated
46. By Jamie Strandboge

merge from trunk

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Looks good to me. Thanks!

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'debian/changelog'
2--- debian/changelog 2015-04-21 19:02:39 +0000
3+++ debian/changelog 2015-04-21 19:22:19 +0000
4@@ -1,3 +1,9 @@
5+ubuntu-core-launcher (0.2.9) UNRELEASED; urgency=medium
6+
7+ * add apparmor profile for ubuntu-core-launcher
8+
9+ -- Jamie Strandboge <jamie@ubuntu.com> Tue, 21 Apr 2015 14:21:15 -0500
10+
11 ubuntu-core-launcher (0.2.8) vivid; urgency=low
12
13 * initial upload to the archive
14
15=== modified file 'debian/control'
16--- debian/control 2015-04-19 07:10:28 +0000
17+++ debian/control 2015-04-21 19:22:19 +0000
18@@ -2,13 +2,13 @@
19 Section: utils
20 Priority: optional
21 Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
22-Build-Depends: debhelper (>= 9), libseccomp-dev, libapparmor-dev, libudev-dev
23+Build-Depends: debhelper (>= 9), libseccomp-dev, libapparmor-dev, libudev-dev, dh-apparmor
24 Standards-Version: 3.9.6
25 Vcs: lp:~snappy-dev/ubuntu-core-launcher/trunk
26
27 Package: ubuntu-core-launcher
28 Architecture: any
29-Depends: ${misc:Depends}, ${shlibs:Depends}
30+Depends: ${misc:Depends}, ${shlibs:Depends}, apparmor
31 Description: Launcher for ubuntu-core (snappy) apps
32 This package contains the launcher for launching ubuntu-core applications
33 on a ubuntu "snappy" system.
34
35=== modified file 'debian/dirs'
36--- debian/dirs 2015-04-18 09:57:31 +0000
37+++ debian/dirs 2015-04-21 19:22:19 +0000
38@@ -1,2 +1,3 @@
39 usr/bin
40-lib/udev
41\ No newline at end of file
42+lib/udev
43+etc/apparmor.d/force-complain
44
45=== added file 'debian/install'
46--- debian/install 1970-01-01 00:00:00 +0000
47+++ debian/install 2015-04-21 19:22:19 +0000
48@@ -0,0 +1,1 @@
49+debian/usr.bin.ubuntu-core-launcher etc/apparmor.d
50
51=== modified file 'debian/rules'
52--- debian/rules 2015-04-18 13:44:14 +0000
53+++ debian/rules 2015-04-21 19:22:19 +0000
54@@ -1,8 +1,11 @@
55 #!/usr/bin/make -f
56
57 %:
58- dh $@
59+ dh $@
60
61 override_dh_fixperms:
62 dh_fixperms -Xusr/bin/ubuntu-core-launcher
63
64+override_dh_installdeb:
65+ dh_apparmor --profile-name=usr.bin.ubuntu-core-launcher -pubuntu-core-launcher
66+ dh_installdeb
67
68=== added file 'debian/usr.bin.ubuntu-core-launcher'
69--- debian/usr.bin.ubuntu-core-launcher 1970-01-01 00:00:00 +0000
70+++ debian/usr.bin.ubuntu-core-launcher 2015-04-21 19:22:19 +0000
71@@ -0,0 +1,48 @@
72+# Author: Jamie Strandboge <jamie@canonical.com>
73+#include <tunables/global>
74+
75+/usr/bin/ubuntu-core-launcher {
76+ # We run privileged, so be fanatical about what we include and don't use
77+ # any abstractions
78+ /etc/ld.so.cache r,
79+ /lib/@{multiarch}/libapparmor.so* mr,
80+ /lib/@{multiarch}/libc-*.so* mr,
81+ /lib/@{multiarch}/libpthread-*.so* mr,
82+ /lib/@{multiarch}/libudev.so* mr,
83+ /usr/lib/@{multiarch}/libseccomp.so* mr,
84+
85+ # cgroups
86+ capability sys_admin,
87+ capability dac_override,
88+ /sys/fs/cgroup/devices/snappy.*/ w,
89+ /sys/fs/cgroup/devices/snappy.*/tasks w,
90+ /sys/fs/cgroup/devices/snappy.*/devices.{allow,deny} w,
91+
92+ # querying udev
93+ /etc/udev/udev.conf r,
94+ /sys/devices/**/uevent r,
95+ /lib/udev/snappy-app-dev ixr, # drop
96+
97+ # priv dropping
98+ capability setuid,
99+ capability setgid,
100+
101+ # changing profile
102+ @{PROC}/[0-9]*/attr/exec w,
103+ change_profile -> [^u/]**,
104+ change_profile -> [^u/][^n]**,
105+ change_profile -> [^u/][^n][^c]**,
106+ change_profile -> [^u/][^n][^c][^o]**,
107+ change_profile -> [^u/][^n][^c][^o][^n]**,
108+ change_profile -> [^u/][^n][^c][^o][^n][^f]**,
109+ change_profile -> [^u/][^n][^c][^o][^n][^f][^i]**,
110+ change_profile -> [^u/][^n][^c][^o][^n][^f][^i][^n]**,
111+ change_profile -> [^u/][^n][^c][^o][^n][^f][^i][^n][^e]**,
112+ change_profile -> [^u/][^n][^c][^o][^n][^f][^i][^n][^e][^d]**,
113+ # LP: #1446794 - when this bug is fixed, change the above to:
114+ # deny change_profile -> {unconfined,/**},
115+ # change_profile -> **,
116+
117+ # reading seccomp filters
118+ /var/lib/snappy/seccomp/profiles/* r,
119+}

Subscribers

People subscribed via source and target branches