Media Hub

Merge lp:~phablet-team/media-hub/fix-1533779 into lp:media-hub

  1. fix-1533779
  2. Merge into trunk
Proposed by Jim Hodapp
Status: Merged
Approved by: Thomas Voß
Approved revision: 168
Merged at revision: 165
Proposed branch: lp:~phablet-team/media-hub/fix-1533779
Merge into: lp:media-hub
Diff against target: 261 lines (+109/-19)
8 files modified
include/core/media/player.h (+5/-0)
src/core/media/apparmor/ubuntu.cpp (+38/-10)
src/core/media/apparmor/ubuntu.h (+3/-0)
src/core/media/mpris/player.h (+8/-0)
src/core/media/player.cpp (+6/-0)
src/core/media/player_skeleton.cpp (+32/-6)
src/core/media/player_stub.cpp (+16/-2)
src/core/media/service_implementation.cpp (+1/-1)
To merge this branch: bzr merge lp:~phablet-team/media-hub/fix-1533779
Reviewer Review Type Date Requested Status
Thomas Voß (community) Approve
PS Jenkins bot continuous-integration Approve
Bill Filler (community) Approve
Review via email: mp+282655@code.launchpad.net

Commit message

Make sure that an apparmor profile_name of the format com.ubuntu.my-app is supported as well as improve the error handling and reporting for when a client does not have the proper apparmor permissions to play a given media URI

Description of the change

Make sure that an apparmor profile_name of the format com.ubuntu.my-app is supported as well as improve the error handling and reporting for when a client does not have the proper apparmor permissions to play a given media URI

To post a comment you must log in.
lp:~phablet-team/media-hub/fix-1533779 updated
166. By Jim Hodapp

Also raise an error if insufficient apparmor permissions for open_uri extended

Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

PASSED: Continuous integration, rev:165
http://jenkins.qa.ubuntu.com/job/media-hub-ci/386/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-amd64-ci/226
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-armhf-ci/226
        deb: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-armhf-ci/226/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-i386-ci/226

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/media-hub-ci/386/rebuild

review: Approve (continuous-integration)
Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

PASSED: Continuous integration, rev:166
http://jenkins.qa.ubuntu.com/job/media-hub-ci/387/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-amd64-ci/227
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-armhf-ci/227
        deb: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-armhf-ci/227/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-i386-ci/227

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/media-hub-ci/387/rebuild

review: Approve (continuous-integration)
Revision history for this message
Bill Filler (bfiller) wrote :

Tested this and functionality it's all working with silo 52. Able to record/play audio with messaging-app and playback video.

review: Approve
Revision history for this message
Thomas Voß (thomas-voss) wrote :

As per our discussion on IRC: http://pastebin.ubuntu.com/14499825/

review: Needs Fixing
lp:~phablet-team/media-hub/fix-1533779 updated
167. By Jim Hodapp

Tighten up the messaging-app apparmor permission check

Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

PASSED: Continuous integration, rev:167
http://jenkins.qa.ubuntu.com/job/media-hub-ci/388/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-amd64-ci/228
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-armhf-ci/228
        deb: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-armhf-ci/228/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-i386-ci/228

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/media-hub-ci/388/rebuild

review: Approve (continuous-integration)
lp:~phablet-team/media-hub/fix-1533779 updated
168. By Jim Hodapp

Remove app_id_ since it isn't used

Revision history for this message
PS Jenkins bot (ps-jenkins) wrote :

PASSED: Continuous integration, rev:168
http://jenkins.qa.ubuntu.com/job/media-hub-ci/389/
Executed test runs:
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-amd64-ci/229
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-armhf-ci/229
        deb: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-armhf-ci/229/artifact/work/output/*zip*/output.zip
    SUCCESS: http://jenkins.qa.ubuntu.com/job/media-hub-vivid-i386-ci/229

Click here to trigger a rebuild:
http://s-jenkins.ubuntu-ci:8080/job/media-hub-ci/389/rebuild

review: Approve (continuous-integration)
Revision history for this message
Thomas Voß (thomas-voss) wrote :

LGTM.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'include/core/media/player.h'
--- include/core/media/player.h 2015-04-17 16:37:02 +0000
+++ include/core/media/player.h 2016-01-15 15:44:13 +0000
@@ -56,6 +56,11 @@
56 {56 {
57 OutOfProcessBufferStreamingNotSupported();57 OutOfProcessBufferStreamingNotSupported();
58 };58 };
59
60 struct InsufficientAppArmorPermissions : public std::runtime_error
61 {
62 InsufficientAppArmorPermissions(const std::string& err);
63 };
59 };64 };
6065
61 struct Configuration;66 struct Configuration;
6267
=== modified file 'src/core/media/apparmor/ubuntu.cpp'
--- src/core/media/apparmor/ubuntu.cpp 2015-09-03 07:23:16 +0000
+++ src/core/media/apparmor/ubuntu.cpp 2016-01-15 15:44:13 +0000
@@ -75,17 +75,26 @@
7575
76// Returns true if the context name is a valid Ubuntu app id.76// Returns true if the context name is a valid Ubuntu app id.
77// If it is, out is populated with the package and app name.77// If it is, out is populated with the package and app name.
78bool process_context_name(const std::string& s, std::smatch& out)78bool process_context_name(const std::string& s, std::smatch& out,
79 std::string& pkg_name)
79{80{
80 // See https://wiki.ubuntu.com/AppStore/Interfaces/ApplicationId.81 // See https://wiki.ubuntu.com/AppStore/Interfaces/ApplicationId.
81 static const std::regex short_re{"(.*)_(.*)"};82 static const std::regex short_re{"(.*)_(.*)"};
82 static const std::regex full_re{"(.*)_(.*)_(.*)"};83 static const std::regex full_re{"(.*)_(.*)_(.*)"};
8384 static const std::regex trust_store_re{"(.*)-(.*)"};
84 if (std::regex_match(s, out, full_re))85
85 return true;86 if (s == "messaging-app"
8687 and std::regex_match(s, out, trust_store_re))
87 if (std::regex_match(s, out, short_re))88 {
88 return true;89 pkg_name = s;
90 return true;
91 }
92
93 if (std::regex_match(s, out, full_re) or std::regex_match(s, out, short_re))
94 {
95 pkg_name = out[index_package];
96 return true;
97 }
8998
90 return false;99 return false;
91}100}
@@ -94,8 +103,11 @@
94apparmor::ubuntu::Context::Context(const std::string& name)103apparmor::ubuntu::Context::Context(const std::string& name)
95 : apparmor::Context{name},104 : apparmor::Context{name},
96 unconfined_{str() == ubuntu::unconfined},105 unconfined_{str() == ubuntu::unconfined},
97 has_package_name_{process_context_name(str(), match_)}106 has_package_name_{process_context_name(str(), match_, pkg_name_)}
98{107{
108 std::cout << "apparmor profile name: " << name;
109 std::cout << ", is_unconfined(): " << is_unconfined();
110 std::cout << ", has_package_name(): " << has_package_name() << std::endl;
99 if (not is_unconfined() && not has_package_name()) throw std::logic_error111 if (not is_unconfined() && not has_package_name()) throw std::logic_error
100 {112 {
101 "apparmor::ubuntu::Context: Invalid profile name " + str()113 "apparmor::ubuntu::Context: Invalid profile name " + str()
@@ -112,10 +124,14 @@
112 return has_package_name_;124 return has_package_name_;
113}125}
114126
115
116std::string apparmor::ubuntu::Context::package_name() const127std::string apparmor::ubuntu::Context::package_name() const
117{128{
118 return std::string{match_[index_package]};129 return pkg_name_;
130}
131
132std::string apparmor::ubuntu::Context::profile_name() const
133{
134 return std::string{match_[index_package]} + "-" + std::string{match_[index_app]};
119}135}
120136
121apparmor::ubuntu::DBusDaemonRequestContextResolver::DBusDaemonRequestContextResolver(const core::dbus::Bus::Ptr& bus) : dbus_daemon{bus}137apparmor::ubuntu::DBusDaemonRequestContextResolver::DBusDaemonRequestContextResolver(const core::dbus::Bus::Ptr& bus) : dbus_daemon{bus}
@@ -149,6 +165,18 @@
149 "Client can access content in ~/.local/share/" + context.package_name() + " or ~/.cache/" + context.package_name()165 "Client can access content in ~/.local/share/" + context.package_name() + " or ~/.cache/" + context.package_name()
150 };166 };
151 }167 }
168 // Check for trust-store compatible path name using full messaging-app profile_name
169 else if (context.profile_name() == "messaging-app" &&
170 /* Since the full APP_ID is not available yet (see aa_query_file_path()), add an exception: */
171 (parsed_uri.path.find(std::string(".local/share/com.ubuntu." + context.profile_name() + "/")) != std::string::npos ||
172 parsed_uri.path.find(std::string(".cache/com.ubuntu." + context.profile_name() + "/")) != std::string::npos))
173 {
174 return Result
175 {
176 true,
177 "Client can access content in ~/.local/share/" + context.profile_name() + " or ~/.cache/" + context.profile_name()
178 };
179 }
152 else if (parsed_uri.path.find(std::string("opt/click.ubuntu.com/")) != std::string::npos &&180 else if (parsed_uri.path.find(std::string("opt/click.ubuntu.com/")) != std::string::npos &&
153 parsed_uri.path.find(context.package_name()) != std::string::npos)181 parsed_uri.path.find(context.package_name()) != std::string::npos)
154 {182 {
155183
=== modified file 'src/core/media/apparmor/ubuntu.h'
--- src/core/media/apparmor/ubuntu.h 2014-12-15 14:05:29 +0000
+++ src/core/media/apparmor/ubuntu.h 2016-01-15 15:44:13 +0000
@@ -73,8 +73,11 @@
73 // Returns the package name or throws if no package name can be found.73 // Returns the package name or throws if no package name can be found.
74 virtual std::string package_name() const;74 virtual std::string package_name() const;
7575
76 virtual std::string profile_name() const;
77
76private:78private:
77 std::smatch match_;79 std::smatch match_;
80 std::string pkg_name_;
78 const bool unconfined_;81 const bool unconfined_;
79 const bool has_package_name_;82 const bool has_package_name_;
80};83};
8184
=== modified file 'src/core/media/mpris/player.h'
--- src/core/media/mpris/player.h 2015-09-29 11:07:54 +0000
+++ src/core/media/mpris/player.h 2016-01-15 15:44:13 +0000
@@ -116,6 +116,14 @@
116 "mpris.Player.Error.OutOfProcessBufferStreamingNotSupported"116 "mpris.Player.Error.OutOfProcessBufferStreamingNotSupported"
117 };117 };
118 };118 };
119
120 struct InsufficientAppArmorPermissions
121 {
122 static constexpr const char* name
123 {
124 "mpris.Player.Error.InsufficientAppArmorPermissions"
125 };
126 };
119 };127 };
120128
121 typedef std::map<std::string, core::dbus::types::Variant> Dictionary;129 typedef std::map<std::string, core::dbus::types::Variant> Dictionary;
122130
=== modified file 'src/core/media/player.cpp'
--- src/core/media/player.cpp 2015-04-14 02:39:32 +0000
+++ src/core/media/player.cpp 2016-01-15 15:44:13 +0000
@@ -27,6 +27,12 @@
27{27{
28}28}
2929
30media::Player::Errors::InsufficientAppArmorPermissions::InsufficientAppArmorPermissions
31 (const std::string &e)
32 : std::runtime_error{e}
33{
34}
35
30const media::Player::Configuration& media::Player::Client::default_configuration()36const media::Player::Configuration& media::Player::Client::default_configuration()
31{37{
32 static const media::Player::Configuration config38 static const media::Player::Configuration config
3339
=== modified file 'src/core/media/player_skeleton.cpp'
--- src/core/media/player_skeleton.cpp 2015-04-20 17:48:48 +0000
+++ src/core/media/player_skeleton.cpp 2016-01-15 15:44:13 +0000
@@ -179,11 +179,23 @@
179 Track::UriType uri;179 Track::UriType uri;
180 in->reader() >> uri;180 in->reader() >> uri;
181181
182 auto reply = dbus::Message::make_method_return(in);
182 // Make sure the client has adequate apparmor permissions to open the URI183 // Make sure the client has adequate apparmor permissions to open the URI
183 auto result = request_authenticator->authenticate_open_uri_request(context, uri);184 const auto result = request_authenticator->authenticate_open_uri_request(context, uri);
184185 if (std::get<0>(result))
185 auto reply = dbus::Message::make_method_return(in);186 {
186 reply->writer() << (std::get<0>(result) ? impl->open_uri(uri) : false);187 reply->writer() << (std::get<0>(result) ? impl->open_uri(uri) : false);
188 }
189 else
190 {
191 const std::string err_str = {"Warning: Failed to authenticate necessary "
192 "apparmor permissions to open uri: " + std::get<1>(result)};
193 std::cerr << err_str << std::endl;
194 reply = dbus::Message::make_error(
195 in,
196 mpris::Player::Error::InsufficientAppArmorPermissions::name,
197 err_str);
198 }
187199
188 bus->send(reply);200 bus->send(reply);
189 });201 });
@@ -198,9 +210,23 @@
198210
199 in->reader() >> uri >> headers;211 in->reader() >> uri >> headers;
200212
201 auto result = request_authenticator->authenticate_open_uri_request(context, uri);
202 auto reply = dbus::Message::make_method_return(in);213 auto reply = dbus::Message::make_method_return(in);
203 reply->writer() << (std::get<0>(result) ? impl->open_uri(uri, headers) : false);214 // Make sure the client has adequate apparmor permissions to open the URI
215 const auto result = request_authenticator->authenticate_open_uri_request(context, uri);
216 if (std::get<0>(result))
217 {
218 reply->writer() << (std::get<0>(result) ? impl->open_uri(uri, headers) : false);
219 }
220 else
221 {
222 const std::string err_str = {"Warning: Failed to authenticate necessary "
223 "apparmor permissions to open uri: " + std::get<1>(result)};
224 std::cerr << err_str << std::endl;
225 reply = dbus::Message::make_error(
226 in,
227 mpris::Player::Error::InsufficientAppArmorPermissions::name,
228 err_str);
229 }
204230
205 bus->send(reply);231 bus->send(reply);
206 });232 });
207233
=== modified file 'src/core/media/player_stub.cpp'
--- src/core/media/player_stub.cpp 2015-05-01 19:44:11 +0000
+++ src/core/media/player_stub.cpp 2016-01-15 15:44:13 +0000
@@ -261,7 +261,14 @@
261261
262bool media::PlayerStub::open_uri(const media::Track::UriType& uri)262bool media::PlayerStub::open_uri(const media::Track::UriType& uri)
263{263{
264 auto op = d->object->transact_method<mpris::Player::OpenUri, bool>(uri);264 const auto op = d->object->transact_method<mpris::Player::OpenUri, bool>(uri);
265 if (op.is_error())
266 {
267 if (op.error().name() == mpris::Player::Error::InsufficientAppArmorPermissions::name)
268 throw media::Player::Errors::InsufficientAppArmorPermissions{op.error().print()};
269 else
270 throw std::runtime_error{op.error().print()};
271 }
265272
266 return op.value();273 return op.value();
267}274}
@@ -269,7 +276,14 @@
269276
270bool media::PlayerStub::open_uri(const Track::UriType& uri, const Player::HeadersType& headers)277bool media::PlayerStub::open_uri(const Track::UriType& uri, const Player::HeadersType& headers)
271{278{
272 auto op = d->object->transact_method<mpris::Player::OpenUriExtended, bool>(uri, headers);279 const auto op = d->object->transact_method<mpris::Player::OpenUriExtended, bool>(uri, headers);
280 if (op.is_error())
281 {
282 if (op.error().name() == mpris::Player::Error::InsufficientAppArmorPermissions::name)
283 throw media::Player::Errors::InsufficientAppArmorPermissions{op.error().print()};
284 else
285 throw std::runtime_error{op.error().print()};
286 }
273287
274 return op.value();288 return op.value();
275}289}
276290
=== modified file 'src/core/media/service_implementation.cpp'
--- src/core/media/service_implementation.cpp 2015-12-17 18:53:47 +0000
+++ src/core/media/service_implementation.cpp 2016-01-15 15:44:13 +0000
@@ -255,7 +255,7 @@
255 return std::shared_ptr<media::Player>();255 return std::shared_ptr<media::Player>();
256}256}
257257
258void media::ServiceImplementation::set_current_player(Player::PlayerKey key)258void media::ServiceImplementation::set_current_player(Player::PlayerKey)
259{259{
260 // no impl260 // no impl
261}261}

Subscribers

People subscribed via source and target branches

to all changes: