Media Hub

Merge lp:~phablet-team/media-hub/fix-1533779 into lp:media-hub

  1. fix-1533779
  2. Merge into trunk
Proposed by Jim Hodapp
Status: Merged
Approved by: Thomas Voß
Approved revision: 168
Merged at revision: 165
Proposed branch: lp:~phablet-team/media-hub/fix-1533779
Merge into: lp:media-hub
Diff against target: 261 lines (+109/-19)
8 files modified
include/core/media/player.h (+5/-0)
src/core/media/apparmor/ubuntu.cpp (+38/-10)
src/core/media/apparmor/ubuntu.h (+3/-0)
src/core/media/mpris/player.h (+8/-0)
src/core/media/player.cpp (+6/-0)
src/core/media/player_skeleton.cpp (+32/-6)
src/core/media/player_stub.cpp (+16/-2)
src/core/media/service_implementation.cpp (+1/-1)
To merge this branch: bzr merge lp:~phablet-team/media-hub/fix-1533779
Reviewer Review Type Date Requested Status
Thomas Voß (community) Approve
PS Jenkins bot continuous-integration Approve
Bill Filler (community) Approve
Review via email: mp+282655@code.launchpad.net

Commit message

Make sure that an apparmor profile_name of the format com.ubuntu.my-app is supported as well as improve the error handling and reporting for when a client does not have the proper apparmor permissions to play a given media URI

Description of the change

Make sure that an apparmor profile_name of the format com.ubuntu.my-app is supported as well as improve the error handling and reporting for when a client does not have the proper apparmor permissions to play a given media URI

To post a comment you must log in.
lp:~phablet-team/media-hub/fix-1533779 updated
166. By Jim Hodapp

Also raise an error if insufficient apparmor permissions for open_uri extended

Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

PASSED: Continuous integration, rev:165
http://jenkins.qa.ubuntu.com/job/media-hub-ci/386/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-amd64-ci/226
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-armhf-ci/226
        deb: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-armhf-ci/226/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-i386-ci/226

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/media-hub-ci/386/rebuild

review: Approve (continuous-integration)
Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

PASSED: Continuous integration, rev:166
http://jenkins.qa.ubuntu.com/job/media-hub-ci/387/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-amd64-ci/227
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-armhf-ci/227
        deb: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-armhf-ci/227/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-i386-ci/227

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/media-hub-ci/387/rebuild

review: Approve (continuous-integration)
Revision history for this message
Bill Filler (bfiller) wrote :

Tested this and functionality it's all working with silo 52. Able to record/play audio with messaging-app and playback video.

review: Approve
Revision history for this message
Thomas Voß (thomas-voss) wrote :

As per our discussion on IRC: http://pastebin.ubuntu.com/14499825/

review: Needs Fixing
lp:~phablet-team/media-hub/fix-1533779 updated
167. By Jim Hodapp

Tighten up the messaging-app apparmor permission check

Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

PASSED: Continuous integration, rev:167
http://jenkins.qa.ubuntu.com/job/media-hub-ci/388/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-amd64-ci/228
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-armhf-ci/228
        deb: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-armhf-ci/228/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-i386-ci/228

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/media-hub-ci/388/rebuild

review: Approve (continuous-integration)
lp:~phablet-team/media-hub/fix-1533779 updated
168. By Jim Hodapp

Remove app_id_ since it isn't used

Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

PASSED: Continuous integration, rev:168
http://jenkins.qa.ubuntu.com/job/media-hub-ci/389/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-amd64-ci/229
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-armhf-ci/229
        deb: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-armhf-ci/229/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-i386-ci/229

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/media-hub-ci/389/rebuild

review: Approve (continuous-integration)
Revision history for this message
Thomas Voß (thomas-voss) wrote :

LGTM.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'include/core/media/player.h'
2--- include/core/media/player.h 2015-04-17 16:37:02 +0000
3+++ include/core/media/player.h 2016-01-15 15:44:13 +0000
4@@ -56,6 +56,11 @@
5 {
6 OutOfProcessBufferStreamingNotSupported();
7 };
8+
9+ struct InsufficientAppArmorPermissions : public std::runtime_error
10+ {
11+ InsufficientAppArmorPermissions(const std::string& err);
12+ };
13 };
14
15 struct Configuration;
16
17=== modified file 'src/core/media/apparmor/ubuntu.cpp'
18--- src/core/media/apparmor/ubuntu.cpp 2015-09-03 07:23:16 +0000
19+++ src/core/media/apparmor/ubuntu.cpp 2016-01-15 15:44:13 +0000
20@@ -75,17 +75,26 @@
21
22 // Returns true if the context name is a valid Ubuntu app id.
23 // If it is, out is populated with the package and app name.
24-bool process_context_name(const std::string& s, std::smatch& out)
25+bool process_context_name(const std::string& s, std::smatch& out,
26+ std::string& pkg_name)
27 {
28 // See https://wiki.ubuntu.com/AppStore/Interfaces/ApplicationId.
29 static const std::regex short_re{"(.*)_(.*)"};
30 static const std::regex full_re{"(.*)_(.*)_(.*)"};
31-
32- if (std::regex_match(s, out, full_re))
33- return true;
34-
35- if (std::regex_match(s, out, short_re))
36- return true;
37+ static const std::regex trust_store_re{"(.*)-(.*)"};
38+
39+ if (s == "messaging-app"
40+ and std::regex_match(s, out, trust_store_re))
41+ {
42+ pkg_name = s;
43+ return true;
44+ }
45+
46+ if (std::regex_match(s, out, full_re) or std::regex_match(s, out, short_re))
47+ {
48+ pkg_name = out[index_package];
49+ return true;
50+ }
51
52 return false;
53 }
54@@ -94,8 +103,11 @@
55 apparmor::ubuntu::Context::Context(const std::string& name)
56 : apparmor::Context{name},
57 unconfined_{str() == ubuntu::unconfined},
58- has_package_name_{process_context_name(str(), match_)}
59+ has_package_name_{process_context_name(str(), match_, pkg_name_)}
60 {
61+ std::cout << "apparmor profile name: " << name;
62+ std::cout << ", is_unconfined(): " << is_unconfined();
63+ std::cout << ", has_package_name(): " << has_package_name() << std::endl;
64 if (not is_unconfined() && not has_package_name()) throw std::logic_error
65 {
66 "apparmor::ubuntu::Context: Invalid profile name " + str()
67@@ -112,10 +124,14 @@
68 return has_package_name_;
69 }
70
71-
72 std::string apparmor::ubuntu::Context::package_name() const
73 {
74- return std::string{match_[index_package]};
75+ return pkg_name_;
76+}
77+
78+std::string apparmor::ubuntu::Context::profile_name() const
79+{
80+ return std::string{match_[index_package]} + "-" + std::string{match_[index_app]};
81 }
82
83 apparmor::ubuntu::DBusDaemonRequestContextResolver::DBusDaemonRequestContextResolver(const core::dbus::Bus::Ptr& bus) : dbus_daemon{bus}
84@@ -149,6 +165,18 @@
85 "Client can access content in ~/.local/share/" + context.package_name() + " or ~/.cache/" + context.package_name()
86 };
87 }
88+ // Check for trust-store compatible path name using full messaging-app profile_name
89+ else if (context.profile_name() == "messaging-app" &&
90+ /* Since the full APP_ID is not available yet (see aa_query_file_path()), add an exception: */
91+ (parsed_uri.path.find(std::string(".local/share/com.ubuntu." + context.profile_name() + "/")) != std::string::npos ||
92+ parsed_uri.path.find(std::string(".cache/com.ubuntu." + context.profile_name() + "/")) != std::string::npos))
93+ {
94+ return Result
95+ {
96+ true,
97+ "Client can access content in ~/.local/share/" + context.profile_name() + " or ~/.cache/" + context.profile_name()
98+ };
99+ }
100 else if (parsed_uri.path.find(std::string("opt/click.ubuntu.com/")) != std::string::npos &&
101 parsed_uri.path.find(context.package_name()) != std::string::npos)
102 {
103
104=== modified file 'src/core/media/apparmor/ubuntu.h'
105--- src/core/media/apparmor/ubuntu.h 2014-12-15 14:05:29 +0000
106+++ src/core/media/apparmor/ubuntu.h 2016-01-15 15:44:13 +0000
107@@ -73,8 +73,11 @@
108 // Returns the package name or throws if no package name can be found.
109 virtual std::string package_name() const;
110
111+ virtual std::string profile_name() const;
112+
113 private:
114 std::smatch match_;
115+ std::string pkg_name_;
116 const bool unconfined_;
117 const bool has_package_name_;
118 };
119
120=== modified file 'src/core/media/mpris/player.h'
121--- src/core/media/mpris/player.h 2015-09-29 11:07:54 +0000
122+++ src/core/media/mpris/player.h 2016-01-15 15:44:13 +0000
123@@ -116,6 +116,14 @@
124 "mpris.Player.Error.OutOfProcessBufferStreamingNotSupported"
125 };
126 };
127+
128+ struct InsufficientAppArmorPermissions
129+ {
130+ static constexpr const char* name
131+ {
132+ "mpris.Player.Error.InsufficientAppArmorPermissions"
133+ };
134+ };
135 };
136
137 typedef std::map<std::string, core::dbus::types::Variant> Dictionary;
138
139=== modified file 'src/core/media/player.cpp'
140--- src/core/media/player.cpp 2015-04-14 02:39:32 +0000
141+++ src/core/media/player.cpp 2016-01-15 15:44:13 +0000
142@@ -27,6 +27,12 @@
143 {
144 }
145
146+media::Player::Errors::InsufficientAppArmorPermissions::InsufficientAppArmorPermissions
147+ (const std::string &e)
148+ : std::runtime_error{e}
149+{
150+}
151+
152 const media::Player::Configuration& media::Player::Client::default_configuration()
153 {
154 static const media::Player::Configuration config
155
156=== modified file 'src/core/media/player_skeleton.cpp'
157--- src/core/media/player_skeleton.cpp 2015-04-20 17:48:48 +0000
158+++ src/core/media/player_skeleton.cpp 2016-01-15 15:44:13 +0000
159@@ -179,11 +179,23 @@
160 Track::UriType uri;
161 in->reader() >> uri;
162
163+ auto reply = dbus::Message::make_method_return(in);
164 // Make sure the client has adequate apparmor permissions to open the URI
165- auto result = request_authenticator->authenticate_open_uri_request(context, uri);
166-
167- auto reply = dbus::Message::make_method_return(in);
168- reply->writer() << (std::get<0>(result) ? impl->open_uri(uri) : false);
169+ const auto result = request_authenticator->authenticate_open_uri_request(context, uri);
170+ if (std::get<0>(result))
171+ {
172+ reply->writer() << (std::get<0>(result) ? impl->open_uri(uri) : false);
173+ }
174+ else
175+ {
176+ const std::string err_str = {"Warning: Failed to authenticate necessary "
177+ "apparmor permissions to open uri: " + std::get<1>(result)};
178+ std::cerr << err_str << std::endl;
179+ reply = dbus::Message::make_error(
180+ in,
181+ mpris::Player::Error::InsufficientAppArmorPermissions::name,
182+ err_str);
183+ }
184
185 bus->send(reply);
186 });
187@@ -198,9 +210,23 @@
188
189 in->reader() >> uri >> headers;
190
191- auto result = request_authenticator->authenticate_open_uri_request(context, uri);
192 auto reply = dbus::Message::make_method_return(in);
193- reply->writer() << (std::get<0>(result) ? impl->open_uri(uri, headers) : false);
194+ // Make sure the client has adequate apparmor permissions to open the URI
195+ const auto result = request_authenticator->authenticate_open_uri_request(context, uri);
196+ if (std::get<0>(result))
197+ {
198+ reply->writer() << (std::get<0>(result) ? impl->open_uri(uri, headers) : false);
199+ }
200+ else
201+ {
202+ const std::string err_str = {"Warning: Failed to authenticate necessary "
203+ "apparmor permissions to open uri: " + std::get<1>(result)};
204+ std::cerr << err_str << std::endl;
205+ reply = dbus::Message::make_error(
206+ in,
207+ mpris::Player::Error::InsufficientAppArmorPermissions::name,
208+ err_str);
209+ }
210
211 bus->send(reply);
212 });
213
214=== modified file 'src/core/media/player_stub.cpp'
215--- src/core/media/player_stub.cpp 2015-05-01 19:44:11 +0000
216+++ src/core/media/player_stub.cpp 2016-01-15 15:44:13 +0000
217@@ -261,7 +261,14 @@
218
219 bool media::PlayerStub::open_uri(const media::Track::UriType& uri)
220 {
221- auto op = d->object->transact_method<mpris::Player::OpenUri, bool>(uri);
222+ const auto op = d->object->transact_method<mpris::Player::OpenUri, bool>(uri);
223+ if (op.is_error())
224+ {
225+ if (op.error().name() == mpris::Player::Error::InsufficientAppArmorPermissions::name)
226+ throw media::Player::Errors::InsufficientAppArmorPermissions{op.error().print()};
227+ else
228+ throw std::runtime_error{op.error().print()};
229+ }
230
231 return op.value();
232 }
233@@ -269,7 +276,14 @@
234
235 bool media::PlayerStub::open_uri(const Track::UriType& uri, const Player::HeadersType& headers)
236 {
237- auto op = d->object->transact_method<mpris::Player::OpenUriExtended, bool>(uri, headers);
238+ const auto op = d->object->transact_method<mpris::Player::OpenUriExtended, bool>(uri, headers);
239+ if (op.is_error())
240+ {
241+ if (op.error().name() == mpris::Player::Error::InsufficientAppArmorPermissions::name)
242+ throw media::Player::Errors::InsufficientAppArmorPermissions{op.error().print()};
243+ else
244+ throw std::runtime_error{op.error().print()};
245+ }
246
247 return op.value();
248 }
249
250=== modified file 'src/core/media/service_implementation.cpp'
251--- src/core/media/service_implementation.cpp 2015-12-17 18:53:47 +0000
252+++ src/core/media/service_implementation.cpp 2016-01-15 15:44:13 +0000
253@@ -255,7 +255,7 @@
254 return std::shared_ptr<media::Player>();
255 }
256
257-void media::ServiceImplementation::set_current_player(Player::PlayerKey key)
258+void media::ServiceImplementation::set_current_player(Player::PlayerKey)
259 {
260 // no impl
261 }

Subscribers

People subscribed via source and target branches

to all changes: