Ubuntu
ubuntuone-client package

Merge lp:~rmcbride/ubuntu/lucid/ubuntuone-client/fix_528274 into lp:ubuntu/lucid/ubuntuone-client

  1. Lucid (10.04)
  2. fix_528274
  3. Merge into lucid
Proposed by Rick McBride
Status: Work in progress
Proposed branch: lp:~rmcbride/ubuntu/lucid/ubuntuone-client/fix_528274
Merge into: lp:ubuntu/lucid/ubuntuone-client
Diff against target: 103 lines (+54/-0)
7 files modified
debian/apparmor-profile (+20/-0)
debian/changelog (+6/-0)
debian/control (+1/-0)
debian/rules (+4/-0)
debian/ubuntuone-client.dirs (+1/-0)
debian/ubuntuone-client.postinst (+12/-0)
debian/ubuntuone-client.postrm (+10/-0)
To merge this branch: bzr merge lp:~rmcbride/ubuntu/lucid/ubuntuone-client/fix_528274
Reviewer Review Type Date Requested Status
Kees Cook Approve
Jamie Strandboge Pending
Ubuntu branches Pending
Review via email: mp+20927@code.launchpad.net

Description of the change

This adds an AppArmor profile for ubuntuone-syncdaemon, addressing bug #528274. It also adds postinst and postrm logic for same.

To post a comment you must log in.
lp:~rmcbride/ubuntu/lucid/ubuntuone-client/fix_528274 updated
30. By Rick McBride

restored line mistakenly deleted from ubuntuone-client.install

31. By Rick McBride

improved profile to protect things like keys and other things we shouldn't mess with

Revision history for this message
Kees Cook (kees) wrote :

This line:

owner "@{HOME}/**" rw,

doesn't need the double quotes any more since it doesn't include white space.

review: Needs Fixing
Reply
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The packaging for apparmor looks fine. I don't see where you actually install the apport hook in debian/rules though.

Unless you need access to ~/.mozilla, I suggest simply doing:

+ #include <abstractions/private-files-strict>

Instead of:
+ #include <abstractions/private-files>
+ audit deny @{HOME}/.ssh/** mrwkl,
+ audit deny @{HOME}/.gnome2_private/** mrwkl,
+
+ # comment this out if using gpg plugin/addons
+ audit deny @{HOME}/.gnupg/** mrwkl,

If you do need access to .mozilla for something, then what you have is fine, though I wonder why you need access to all of $HOME rather than just the ~/Ubuntu One directory.

Reply
Revision history for this message
Rick McBride (rmcbride) wrote :

Jamie,

we need all of $HOME because Ubuntu One will soon allow the user to define shareable folders anywhere in their home directory.

I'll add the simplification on abstractions/private-files as well.

Kees, thanks. I'll fix that.

Reply
Revision history for this message
Rick McBride (rmcbride) wrote :

fixed and pushed. Removed the unrelated apport hook stuff.

Reply
lp:~rmcbride/ubuntu/lucid/ubuntuone-client/fix_528274 updated
32. By Rick McBride

several fixes based on review feedback. Simplified abstractions stuff and removed things regarding the apport-hook that wasn't required for this fix.

33. By Rick McBride

yea we need the xdg/ubuntuone directory

Revision history for this message
Rick McBride (rmcbride) wrote :

needed to add xdg/ubuntuone, as some global config and oauth stuff lives there.

Reply
lp:~rmcbride/ubuntu/lucid/ubuntuone-client/fix_528274 updated
34. By Rick McBride

but we don't need write access to the global config

35. By Rick McBride

need to widen scope of .local/share/ubuntuone

36. By Rick McBride

need to widen scope of .local/share/ubuntuone

37. By Rick McBride

remerge from trunk and resolve conflict in debian/changelog

Revision history for this message
Kees Cook (kees) wrote :

This looks good to me. Thanks!

review: Approve
Reply
lp:~rmcbride/ubuntu/lucid/ubuntuone-client/fix_528274 updated
38. By Rick McBride

first version of disabled profile for testing purposes

Revision history for this message
Rick McBride (rmcbride) wrote :

branch is in work again. I made some subtle mis-cue with the profile disabling (likely it can't be done that way in debian/rules).

Reply

Unmerged revisions

38. By Rick McBride

first version of disabled profile for testing purposes

37. By Rick McBride

remerge from trunk and resolve conflict in debian/changelog

36. By Rick McBride

need to widen scope of .local/share/ubuntuone

35. By Rick McBride

need to widen scope of .local/share/ubuntuone

34. By Rick McBride

but we don't need write access to the global config

33. By Rick McBride

yea we need the xdg/ubuntuone directory

32. By Rick McBride

several fixes based on review feedback. Simplified abstractions stuff and removed things regarding the apport-hook that wasn't required for this fix.

31. By Rick McBride

improved profile to protect things like keys and other things we shouldn't mess with

30. By Rick McBride

restored line mistakenly deleted from ubuntuone-client.install

29. By Rick McBride

fix rules to have a tab like a normal makefile entry

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== added file 'debian/apparmor-profile'
--- debian/apparmor-profile 1970-01-01 00:00:00 +0000
+++ debian/apparmor-profile 2010-03-29 17:10:56 +0000
@@ -0,0 +1,20 @@
1# Last Modified: Fri Feb 26 12:07:25 2010
2#include <tunables/global>
3
4/usr/lib/ubuntuone-client/ubuntuone-syncdaemon {
5 #include <abstractions/base>
6 #include <abstractions/nameservice>
7 #include <abstractions/python>
8 #include <abstractions/ssl_certs>
9 #include <abstractions/user-tmp>
10
11 /usr/bin/python2.6 ix,
12 owner @{HOME}/** rw,
13 owner @{HOME}/.local/share/ubuntuone/** rw,
14 owner @{HOME}/.cache/ubuntuone/log/* w,
15 owner @{HOME}/.cache/ubuntuone/partials/* rw,
16 /etc/xdg/ubuntuone/** r,
17
18 #include <abstractions/private-files-strict>
19}
20
021
=== modified file 'debian/changelog'
--- debian/changelog 2010-03-11 00:04:35 +0000
+++ debian/changelog 2010-03-29 17:10:56 +0000
@@ -1,3 +1,9 @@
1ubuntuone-client (1.1.4-0ubuntu2) lucid; urgency=low
2
3 * add apparmor profile for syncdaemon.
4
5 -- Rick McBride <rick.mcbride@canonical.com> Thu, 18 Mar 2010 17:25:06 -0400
6
1ubuntuone-client (1.1.4-0ubuntu1) lucid; urgency=low7ubuntuone-client (1.1.4-0ubuntu1) lucid; urgency=low
28
3 * New upstream release.9 * New upstream release.
410
=== modified file 'debian/control'
--- debian/control 2010-03-10 23:50:45 +0000
+++ debian/control 2010-03-29 17:10:56 +0000
@@ -27,6 +27,7 @@
27 python-ubuntuone-client (= ${source:Version}),27 python-ubuntuone-client (= ${source:Version}),
28 python-configglue,28 python-configglue,
29 python-apport29 python-apport
30Suggests: apparmor
30Provides: ${python:Provides}31Provides: ${python:Provides}
31Replaces: ubuntuone-oauth-login, nautilus-ubuntuone, ubuntuone-storagefs32Replaces: ubuntuone-oauth-login, nautilus-ubuntuone, ubuntuone-storagefs
32Conflicts: ubuntuone-oauth-login, nautilus-ubuntuone, ubuntuone-storagefs33Conflicts: ubuntuone-oauth-login, nautilus-ubuntuone, ubuntuone-storagefs
3334
=== modified file 'debian/rules'
--- debian/rules 2009-12-07 17:35:00 +0000
+++ debian/rules 2010-03-29 17:10:56 +0000
@@ -9,6 +9,10 @@
9DEB_CONFIGURE_EXTRA_FLAGS = --enable-pycentral9DEB_CONFIGURE_EXTRA_FLAGS = --enable-pycentral
10DEB_DH_MAKESHLIBS_ARGS = -Xusr/lib/nautilus10DEB_DH_MAKESHLIBS_ARGS = -Xusr/lib/nautilus
1111
12binary-install/ubuntuone-client::
13 cp debian/apparmor-profile debian/ubuntuone-client/etc/apparmor.d/usr.lib.ubuntuone.client.ubuntuone-syncdaemon
14 ln -s debian/ubuntuone-client/etc/apparmor.d/usr.lib.ubuntuone-client.ubuntuone-syncdaemon debian/ubuntuone-client/etc/apparmor.d/disable/usr.lib.ubuntuone-client.ubuntuone-syncdaemon
15
12binary-post-install/ubuntuone-client::16binary-post-install/ubuntuone-client::
13 find debian/tmp/usr/lib -name \*.la -exec rm {} \;17 find debian/tmp/usr/lib -name \*.la -exec rm {} \;
14 find debian/tmp/usr/lib -name \*.a -exec rm {} \;18 find debian/tmp/usr/lib -name \*.a -exec rm {} \;
1519
=== added file 'debian/ubuntuone-client.dirs'
--- debian/ubuntuone-client.dirs 1970-01-01 00:00:00 +0000
+++ debian/ubuntuone-client.dirs 2010-03-29 17:10:56 +0000
@@ -0,0 +1,1 @@
1etc/apparmor.d/
02
=== added file 'debian/ubuntuone-client.postinst'
--- debian/ubuntuone-client.postinst 1970-01-01 00:00:00 +0000
+++ debian/ubuntuone-client.postinst 2010-03-29 17:10:56 +0000
@@ -0,0 +1,12 @@
1#!/bin/sh
2
3set -e
4
5#DEBHELPER#
6
7if [ "$1" = "configure" ]; then
8 APP_PROFILE="/etc/apparmor.d/usr.lib.ubuntuone-client.ubuntuone.syncdaemon"
9 if [ -f "$APP_PROFILE" ] && aa-status --enabled 2>/dev/null; then
10 apparmor_parser -r -T -W "$APP_PROFILE" || true
11 fi
12fi
013
=== added file 'debian/ubuntuone-client.postrm'
--- debian/ubuntuone-client.postrm 1970-01-01 00:00:00 +0000
+++ debian/ubuntuone-client.postrm 2010-03-29 17:10:56 +0000
@@ -0,0 +1,10 @@
1#!/bin/sh
2
3set -e
4
5#DEBHELPER#
6
7if [ "$1" = "purge" ]; then
8 APP_PROFILE="usr.lib.ubuntuone-client.ubuntuone-syncdaemon"
9 rm -f /etc/apparmor.d/force-complain/$APP_PROFILE >/dev/null 2>&1 || true
10 rm -f /etc/apparmor.d/disable/$APP_PROFILE >/dev/null 2>&1 || true

Subscribers

People subscribed via source and target branches

to all changes: