Merge lp:~rmcbride/ubuntu/lucid/ubuntuone-client/fix_528274 into lp:ubuntu/lucid/ubuntuone-client

Proposed by Rick McBride
Status: Work in progress
Proposed branch: lp:~rmcbride/ubuntu/lucid/ubuntuone-client/fix_528274
Merge into: lp:ubuntu/lucid/ubuntuone-client
Diff against target: 103 lines (+54/-0)
7 files modified
debian/apparmor-profile (+20/-0)
debian/changelog (+6/-0)
debian/control (+1/-0)
debian/rules (+4/-0)
debian/ubuntuone-client.dirs (+1/-0)
debian/ubuntuone-client.postinst (+12/-0)
debian/ubuntuone-client.postrm (+10/-0)
To merge this branch: bzr merge lp:~rmcbride/ubuntu/lucid/ubuntuone-client/fix_528274
Reviewer Review Type Date Requested Status
Kees Cook Approve
Jamie Strandboge Pending
Ubuntu branches Pending
Review via email: mp+20927@code.launchpad.net

Description of the change

This adds an AppArmor profile for ubuntuone-syncdaemon, addressing bug #528274. It also adds postinst and postrm logic for same.

To post a comment you must log in.
30. By Rick McBride

restored line mistakenly deleted from ubuntuone-client.install

31. By Rick McBride

improved profile to protect things like keys and other things we shouldn't mess with

Revision history for this message
Kees Cook (kees) wrote :

This line:

owner "@{HOME}/**" rw,

doesn't need the double quotes any more since it doesn't include white space.

review: Needs Fixing
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The packaging for apparmor looks fine. I don't see where you actually install the apport hook in debian/rules though.

Unless you need access to ~/.mozilla, I suggest simply doing:

+ #include <abstractions/private-files-strict>

Instead of:
+ #include <abstractions/private-files>
+ audit deny @{HOME}/.ssh/** mrwkl,
+ audit deny @{HOME}/.gnome2_private/** mrwkl,
+
+ # comment this out if using gpg plugin/addons
+ audit deny @{HOME}/.gnupg/** mrwkl,

If you do need access to .mozilla for something, then what you have is fine, though I wonder why you need access to all of $HOME rather than just the ~/Ubuntu One directory.

Revision history for this message
Rick McBride (rmcbride) wrote :

Jamie,

we need all of $HOME because Ubuntu One will soon allow the user to define shareable folders anywhere in their home directory.

I'll add the simplification on abstractions/private-files as well.

Kees, thanks. I'll fix that.

Revision history for this message
Rick McBride (rmcbride) wrote :

fixed and pushed. Removed the unrelated apport hook stuff.

32. By Rick McBride

several fixes based on review feedback. Simplified abstractions stuff and removed things regarding the apport-hook that wasn't required for this fix.

33. By Rick McBride

yea we need the xdg/ubuntuone directory

Revision history for this message
Rick McBride (rmcbride) wrote :

needed to add xdg/ubuntuone, as some global config and oauth stuff lives there.

34. By Rick McBride

but we don't need write access to the global config

35. By Rick McBride

need to widen scope of .local/share/ubuntuone

36. By Rick McBride

need to widen scope of .local/share/ubuntuone

37. By Rick McBride

remerge from trunk and resolve conflict in debian/changelog

Revision history for this message
Kees Cook (kees) wrote :

This looks good to me. Thanks!

review: Approve
38. By Rick McBride

first version of disabled profile for testing purposes

Revision history for this message
Rick McBride (rmcbride) wrote :

branch is in work again. I made some subtle mis-cue with the profile disabling (likely it can't be done that way in debian/rules).

Unmerged revisions

38. By Rick McBride

first version of disabled profile for testing purposes

37. By Rick McBride

remerge from trunk and resolve conflict in debian/changelog

36. By Rick McBride

need to widen scope of .local/share/ubuntuone

35. By Rick McBride

need to widen scope of .local/share/ubuntuone

34. By Rick McBride

but we don't need write access to the global config

33. By Rick McBride

yea we need the xdg/ubuntuone directory

32. By Rick McBride

several fixes based on review feedback. Simplified abstractions stuff and removed things regarding the apport-hook that wasn't required for this fix.

31. By Rick McBride

improved profile to protect things like keys and other things we shouldn't mess with

30. By Rick McBride

restored line mistakenly deleted from ubuntuone-client.install

29. By Rick McBride

fix rules to have a tab like a normal makefile entry

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added file 'debian/apparmor-profile'
2--- debian/apparmor-profile 1970-01-01 00:00:00 +0000
3+++ debian/apparmor-profile 2010-03-29 17:10:56 +0000
4@@ -0,0 +1,20 @@
5+# Last Modified: Fri Feb 26 12:07:25 2010
6+#include <tunables/global>
7+
8+/usr/lib/ubuntuone-client/ubuntuone-syncdaemon {
9+ #include <abstractions/base>
10+ #include <abstractions/nameservice>
11+ #include <abstractions/python>
12+ #include <abstractions/ssl_certs>
13+ #include <abstractions/user-tmp>
14+
15+ /usr/bin/python2.6 ix,
16+ owner @{HOME}/** rw,
17+ owner @{HOME}/.local/share/ubuntuone/** rw,
18+ owner @{HOME}/.cache/ubuntuone/log/* w,
19+ owner @{HOME}/.cache/ubuntuone/partials/* rw,
20+ /etc/xdg/ubuntuone/** r,
21+
22+ #include <abstractions/private-files-strict>
23+}
24+
25
26=== modified file 'debian/changelog'
27--- debian/changelog 2010-03-11 00:04:35 +0000
28+++ debian/changelog 2010-03-29 17:10:56 +0000
29@@ -1,3 +1,9 @@
30+ubuntuone-client (1.1.4-0ubuntu2) lucid; urgency=low
31+
32+ * add apparmor profile for syncdaemon.
33+
34+ -- Rick McBride <rick.mcbride@canonical.com> Thu, 18 Mar 2010 17:25:06 -0400
35+
36 ubuntuone-client (1.1.4-0ubuntu1) lucid; urgency=low
37
38 * New upstream release.
39
40=== modified file 'debian/control'
41--- debian/control 2010-03-10 23:50:45 +0000
42+++ debian/control 2010-03-29 17:10:56 +0000
43@@ -27,6 +27,7 @@
44 python-ubuntuone-client (= ${source:Version}),
45 python-configglue,
46 python-apport
47+Suggests: apparmor
48 Provides: ${python:Provides}
49 Replaces: ubuntuone-oauth-login, nautilus-ubuntuone, ubuntuone-storagefs
50 Conflicts: ubuntuone-oauth-login, nautilus-ubuntuone, ubuntuone-storagefs
51
52=== modified file 'debian/rules'
53--- debian/rules 2009-12-07 17:35:00 +0000
54+++ debian/rules 2010-03-29 17:10:56 +0000
55@@ -9,6 +9,10 @@
56 DEB_CONFIGURE_EXTRA_FLAGS = --enable-pycentral
57 DEB_DH_MAKESHLIBS_ARGS = -Xusr/lib/nautilus
58
59+binary-install/ubuntuone-client::
60+ cp debian/apparmor-profile debian/ubuntuone-client/etc/apparmor.d/usr.lib.ubuntuone.client.ubuntuone-syncdaemon
61+ ln -s debian/ubuntuone-client/etc/apparmor.d/usr.lib.ubuntuone-client.ubuntuone-syncdaemon debian/ubuntuone-client/etc/apparmor.d/disable/usr.lib.ubuntuone-client.ubuntuone-syncdaemon
62+
63 binary-post-install/ubuntuone-client::
64 find debian/tmp/usr/lib -name \*.la -exec rm {} \;
65 find debian/tmp/usr/lib -name \*.a -exec rm {} \;
66
67=== added file 'debian/ubuntuone-client.dirs'
68--- debian/ubuntuone-client.dirs 1970-01-01 00:00:00 +0000
69+++ debian/ubuntuone-client.dirs 2010-03-29 17:10:56 +0000
70@@ -0,0 +1,1 @@
71+etc/apparmor.d/
72
73=== added file 'debian/ubuntuone-client.postinst'
74--- debian/ubuntuone-client.postinst 1970-01-01 00:00:00 +0000
75+++ debian/ubuntuone-client.postinst 2010-03-29 17:10:56 +0000
76@@ -0,0 +1,12 @@
77+#!/bin/sh
78+
79+set -e
80+
81+#DEBHELPER#
82+
83+if [ "$1" = "configure" ]; then
84+ APP_PROFILE="/etc/apparmor.d/usr.lib.ubuntuone-client.ubuntuone.syncdaemon"
85+ if [ -f "$APP_PROFILE" ] && aa-status --enabled 2>/dev/null; then
86+ apparmor_parser -r -T -W "$APP_PROFILE" || true
87+ fi
88+fi
89
90=== added file 'debian/ubuntuone-client.postrm'
91--- debian/ubuntuone-client.postrm 1970-01-01 00:00:00 +0000
92+++ debian/ubuntuone-client.postrm 2010-03-29 17:10:56 +0000
93@@ -0,0 +1,10 @@
94+#!/bin/sh
95+
96+set -e
97+
98+#DEBHELPER#
99+
100+if [ "$1" = "purge" ]; then
101+ APP_PROFILE="usr.lib.ubuntuone-client.ubuntuone-syncdaemon"
102+ rm -f /etc/apparmor.d/force-complain/$APP_PROFILE >/dev/null 2>&1 || true
103+ rm -f /etc/apparmor.d/disable/$APP_PROFILE >/dev/null 2>&1 || true

Subscribers

People subscribed via source and target branches

to all changes: