ubuntu-core-security

Merge lp:~mvo/ubuntu-core-security/private-tmpdir-update into lp:~ubuntu-security/ubuntu-core-security/trunk

  1. private-tmpdir-update
  2. Merge into trunk
Proposed by Michael Vogt on 2015-06-08
Status: Merged
Merged at revision: 73
Proposed branch: lp:~mvo/ubuntu-core-security/private-tmpdir-update
Merge into: lp:~ubuntu-security/ubuntu-core-security/trunk
Diff against target: 34 lines (+10/-6)
2 files modified
data/apparmor/templates/ubuntu-core/15.04/default (+3/-6)
debian/changelog (+7/-0)
To merge this branch: bzr merge lp:~mvo/ubuntu-core-security/private-tmpdir-update
Reviewer Review Type Date Requested Status
Jamie Strandboge Approve on 2015-06-08
Tyler Hicks 2015-06-08 Approve on 2015-06-08
Review via email: mp+261396@code.launchpad.net

Description of the Change

This is the companion branch for
  lp:~mvo/ubuntu-core-launcher/tmpdir-simplify-lp1462916
If we create a fully private /tmp via the ubuntu-core-launcher
we can update the apparmor policy so that its ok to write to /tmp

To post a comment you must log in.
Tyler Hicks (tyhicks) wrote :

Looks good to me.

review: Approve
Jamie Strandboge (jdstrand) wrote :

I'm going to change this just a bit to be more explicit in the comment, add read on /tmp/ and not require owner for /tmp/**. Nothing needs to be done here.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'data/apparmor/templates/ubuntu-core/15.04/default'
2--- data/apparmor/templates/ubuntu-core/15.04/default 2015-05-21 15:05:11 +0000
3+++ data/apparmor/templates/ubuntu-core/15.04/default 2015-06-08 14:18:06 +0000
4@@ -169,12 +169,9 @@
5 /var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/ w,
6 /var/lib/apps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,
7
8- # Writable temp area only for this version (launcher will create this
9- # directory on our behalf so only allow readonly on parent).
10- /tmp/snaps/@{APP_PKGNAME}/ r,
11- /tmp/snaps/@{APP_PKGNAME}/** rk,
12- /tmp/snaps/@{APP_PKGNAME}/@{APP_VERSION}/ rw,
13- /tmp/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** mrwlkix,
14+ # The ubuntu-core-launcher creates a private restricted /tmp just for
15+ # this instance
16+ owner /tmp/** mrwlkix,
17
18 # Also do the same for shm
19 /{dev,run}/shm/snaps/@{APP_PKGNAME}/ r,
20
21=== modified file 'debian/changelog'
22--- debian/changelog 2015-05-29 17:01:21 +0000
23+++ debian/changelog 2015-06-08 14:18:06 +0000
24@@ -1,3 +1,10 @@
25+ubuntu-core-security (15.10.3) UNRELEASED; urgency=low
26+
27+ * allow /tmp access now that the ubuntu-core-launcher creates
28+ a private /tmp for each snap
29+
30+ -- Michael Vogt <michael.vogt@ubuntu.com> Mon, 08 Jun 2015 16:15:17 +0200
31+
32 ubuntu-core-security (15.10.2) wily; urgency=medium
33
34 * seccomp/default: allow setpgid and setpgrp (they are commonly used and

Subscribers

People subscribed via source and target branches