snap-confine

Merge lp:~jdstrand/snap-confine/ubuntu-core-launcher.aa-profile into lp:~snappy-dev/snap-confine/trunk

  1. ubuntu-core-launcher.aa-profile
  2. Merge into trunk
Proposed by Jamie Strandboge
Status: Merged
Merged at revision: 46
Proposed branch: lp:~jdstrand/snap-confine/ubuntu-core-launcher.aa-profile
Merge into: lp:~snappy-dev/snap-confine/trunk
Diff against target: 119 lines (+63/-4)
6 files modified
debian/changelog (+6/-0)
debian/control (+2/-2)
debian/dirs (+2/-1)
debian/install (+1/-0)
debian/rules (+4/-1)
debian/usr.bin.ubuntu-core-launcher (+48/-0)
To merge this branch: bzr merge lp:~jdstrand/snap-confine/ubuntu-core-launcher.aa-profile
Reviewer Review Type Date Requested Status
Snappy Developers Pending
Review via email: mp+256992@code.launchpad.net

Commit message

add apparmor profile for ubuntu-core-launcher

Description of the change

add apparmor profile for ubuntu-core-launcher

To post a comment you must log in.
lp:~jdstrand/snap-confine/ubuntu-core-launcher.aa-profile updated
46. By Jamie Strandboge

merge from trunk

Revision history for this message
Tyler Hicks (tyhicks) wrote :

Looks good to me. Thanks!

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'debian/changelog'
--- debian/changelog 2015-04-21 19:02:39 +0000
+++ debian/changelog 2015-04-21 19:22:19 +0000
@@ -1,3 +1,9 @@
1ubuntu-core-launcher (0.2.9) UNRELEASED; urgency=medium
2
3 * add apparmor profile for ubuntu-core-launcher
4
5 -- Jamie Strandboge <jamie@ubuntu.com> Tue, 21 Apr 2015 14:21:15 -0500
6
1ubuntu-core-launcher (0.2.8) vivid; urgency=low7ubuntu-core-launcher (0.2.8) vivid; urgency=low
28
3 * initial upload to the archive9 * initial upload to the archive
410
=== modified file 'debian/control'
--- debian/control 2015-04-19 07:10:28 +0000
+++ debian/control 2015-04-21 19:22:19 +0000
@@ -2,13 +2,13 @@
2Section: utils2Section: utils
3Priority: optional3Priority: optional
4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5Build-Depends: debhelper (>= 9), libseccomp-dev, libapparmor-dev, libudev-dev5Build-Depends: debhelper (>= 9), libseccomp-dev, libapparmor-dev, libudev-dev, dh-apparmor
6Standards-Version: 3.9.66Standards-Version: 3.9.6
7Vcs: lp:~snappy-dev/ubuntu-core-launcher/trunk7Vcs: lp:~snappy-dev/ubuntu-core-launcher/trunk
88
9Package: ubuntu-core-launcher9Package: ubuntu-core-launcher
10Architecture: any10Architecture: any
11Depends: ${misc:Depends}, ${shlibs:Depends}11Depends: ${misc:Depends}, ${shlibs:Depends}, apparmor
12Description: Launcher for ubuntu-core (snappy) apps12Description: Launcher for ubuntu-core (snappy) apps
13 This package contains the launcher for launching ubuntu-core applications13 This package contains the launcher for launching ubuntu-core applications
14 on a ubuntu "snappy" system.14 on a ubuntu "snappy" system.
1515
=== modified file 'debian/dirs'
--- debian/dirs 2015-04-18 09:57:31 +0000
+++ debian/dirs 2015-04-21 19:22:19 +0000
@@ -1,2 +1,3 @@
1usr/bin1usr/bin
2lib/udev
3\ No newline at end of file2\ No newline at end of file
3lib/udev
4etc/apparmor.d/force-complain
45
=== added file 'debian/install'
--- debian/install 1970-01-01 00:00:00 +0000
+++ debian/install 2015-04-21 19:22:19 +0000
@@ -0,0 +1,1 @@
1debian/usr.bin.ubuntu-core-launcher etc/apparmor.d
02
=== modified file 'debian/rules'
--- debian/rules 2015-04-18 13:44:14 +0000
+++ debian/rules 2015-04-21 19:22:19 +0000
@@ -1,8 +1,11 @@
1#!/usr/bin/make -f1#!/usr/bin/make -f
22
3%:3%:
4 dh $@ 4 dh $@
55
6override_dh_fixperms:6override_dh_fixperms:
7 dh_fixperms -Xusr/bin/ubuntu-core-launcher7 dh_fixperms -Xusr/bin/ubuntu-core-launcher
88
9override_dh_installdeb:
10 dh_apparmor --profile-name=usr.bin.ubuntu-core-launcher -pubuntu-core-launcher
11 dh_installdeb
912
=== added file 'debian/usr.bin.ubuntu-core-launcher'
--- debian/usr.bin.ubuntu-core-launcher 1970-01-01 00:00:00 +0000
+++ debian/usr.bin.ubuntu-core-launcher 2015-04-21 19:22:19 +0000
@@ -0,0 +1,48 @@
1# Author: Jamie Strandboge <jamie@canonical.com>
2#include <tunables/global>
3
4/usr/bin/ubuntu-core-launcher {
5 # We run privileged, so be fanatical about what we include and don't use
6 # any abstractions
7 /etc/ld.so.cache r,
8 /lib/@{multiarch}/libapparmor.so* mr,
9 /lib/@{multiarch}/libc-*.so* mr,
10 /lib/@{multiarch}/libpthread-*.so* mr,
11 /lib/@{multiarch}/libudev.so* mr,
12 /usr/lib/@{multiarch}/libseccomp.so* mr,
13
14 # cgroups
15 capability sys_admin,
16 capability dac_override,
17 /sys/fs/cgroup/devices/snappy.*/ w,
18 /sys/fs/cgroup/devices/snappy.*/tasks w,
19 /sys/fs/cgroup/devices/snappy.*/devices.{allow,deny} w,
20
21 # querying udev
22 /etc/udev/udev.conf r,
23 /sys/devices/**/uevent r,
24 /lib/udev/snappy-app-dev ixr, # drop
25
26 # priv dropping
27 capability setuid,
28 capability setgid,
29
30 # changing profile
31 @{PROC}/[0-9]*/attr/exec w,
32 change_profile -> [^u/]**,
33 change_profile -> [^u/][^n]**,
34 change_profile -> [^u/][^n][^c]**,
35 change_profile -> [^u/][^n][^c][^o]**,
36 change_profile -> [^u/][^n][^c][^o][^n]**,
37 change_profile -> [^u/][^n][^c][^o][^n][^f]**,
38 change_profile -> [^u/][^n][^c][^o][^n][^f][^i]**,
39 change_profile -> [^u/][^n][^c][^o][^n][^f][^i][^n]**,
40 change_profile -> [^u/][^n][^c][^o][^n][^f][^i][^n][^e]**,
41 change_profile -> [^u/][^n][^c][^o][^n][^f][^i][^n][^e][^d]**,
42 # LP: #1446794 - when this bug is fixed, change the above to:
43 # deny change_profile -> {unconfined,/**},
44 # change_profile -> **,
45
46 # reading seccomp filters
47 /var/lib/snappy/seccomp/profiles/* r,
48}

Subscribers

People subscribed via source and target branches