AppArmor Profiles

Merge lp:~sdeziel/apparmor-profiles/refresh-pulseaudio into lp:apparmor-profiles

  1. refresh-pulseaudio
  2. Merge into master
Proposed by Simon Déziel
Status: Merged
Approved by: Seth Arnold
Approved revision: 160
Merged at revision: 155
Proposed branch: lp:~sdeziel/apparmor-profiles/refresh-pulseaudio
Merge into: lp:apparmor-profiles
Diff against target: 113 lines (+36/-24)
1 file modified
ubuntu/16.04/usr.bin.pulseaudio (+36/-24)
To merge this branch: bzr merge lp:~sdeziel/apparmor-profiles/refresh-pulseaudio
Reviewer Review Type Date Requested Status
Seth Arnold Approve
Review via email: mp+281910@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

On Thu, Jan 07, 2016 at 06:21:23PM -0000, Simon Déziel wrote:
> - /run/pulse/ rw,
> - /run/pulse/.pulse-cookie rwk,
> - /run/pulse/dbus-socket rwk,
> - /run/pulse/native rwk,
> - /run/pulse/pid rwk,
> + owner /run/pulse/ rw,
> + owner /run/pulse/.pulse-cookie rwk,
> + owner /run/pulse/dbus-socket rwk,
> + owner /run/pulse/native rwk,
> + owner /run/pulse/pid rwk,
> + owner /run/user/[0-9]*/pulse/ rw,
> + owner /run/user/[0-9]*/pulse/* rwk,
> /run/udev/data/+sound:card* r,
> + /run/udev/data/c116:[0-9]* r,
>

How does 'owner /run/pulse/' work? Are these paths bind-mounted from
per-user paths? Or are these paths when pulse is used as root in some
environments?

>
> owner /var/lib/lightdm/.Xauthority r,
> owner /var/lib/lightdm/.esd_auth rwk,
> - owner /var/lib/lightdm/.pulse-cookie rwk,
> - owner /var/lib/lightdm/.pulse/ rw,
> - owner /var/lib/lightdm/.pulse/* w,
> - owner /var/lib/lightdm/.pulse/* r,
> + owner /var/lib/lightdm/.config/pulse/cookie rwk,
> + owner /var/lib/lightdm/.config/pulse/ rw,
> + owner /var/lib/lightdm/.config/pulse/* rw,

Removing accesses like this may cause problems if the AppArmor profile is
replaced before any executing binaries that use the old pathnames. Are
these old path names unused for long enough that no executing binaries
currently use them?

Thanks

Revision history for this message
Simon Déziel (sdeziel) wrote :

On 2016-01-07 02:30 PM, Seth Arnold wrote:
> On Thu, Jan 07, 2016 at 06:21:23PM -0000, Simon Déziel wrote:
>> - /run/pulse/ rw,
>> - /run/pulse/.pulse-cookie rwk,
>> - /run/pulse/dbus-socket rwk,
>> - /run/pulse/native rwk,
>> - /run/pulse/pid rwk,
>> + owner /run/pulse/ rw,
>> + owner /run/pulse/.pulse-cookie rwk,
>> + owner /run/pulse/dbus-socket rwk,
>> + owner /run/pulse/native rwk,
>> + owner /run/pulse/pid rwk,
>> + owner /run/user/[0-9]*/pulse/ rw,
>> + owner /run/user/[0-9]*/pulse/* rwk,
>> /run/udev/data/+sound:card* r,
>> + /run/udev/data/c116:[0-9]* r,
>>
>
> How does 'owner /run/pulse/' work? Are these paths bind-mounted from
> per-user paths? Or are these paths when pulse is used as root in some
> environments?

It's in case pulse is used as root, I believe. I know this path doesn't
exist on my Xenial desktop.

>>
>> owner /var/lib/lightdm/.Xauthority r,
>> owner /var/lib/lightdm/.esd_auth rwk,
>> - owner /var/lib/lightdm/.pulse-cookie rwk,
>> - owner /var/lib/lightdm/.pulse/ rw,
>> - owner /var/lib/lightdm/.pulse/* w,
>> - owner /var/lib/lightdm/.pulse/* r,
>> + owner /var/lib/lightdm/.config/pulse/cookie rwk,
>> + owner /var/lib/lightdm/.config/pulse/ rw,
>> + owner /var/lib/lightdm/.config/pulse/* rw,
>
> Removing accesses like this may cause problems if the AppArmor profile is
> replaced before any executing binaries that use the old pathnames. Are
> these old path names unused for long enough that no executing binaries
> currently use them?

On Trusty, ~lightdm/.config/pulse is used so we should be good there.

Regards,
Simon

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks, LGTM

review: Approve
Revision history for this message
Simon Déziel (sdeziel) wrote :

Thanks Seth!

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'ubuntu/16.04/usr.bin.pulseaudio'
2--- ubuntu/16.04/usr.bin.pulseaudio 2015-10-27 01:49:53 +0000
3+++ ubuntu/16.04/usr.bin.pulseaudio 2016-01-07 18:21:04 +0000
4@@ -5,9 +5,20 @@
5 #include <abstractions/base>
6 #include <abstractions/audio>
7 #include <abstractions/dbus-session>
8+ #include <abstractions/dbus-strict>
9 #include <abstractions/nameservice>
10 #include <abstractions/X>
11
12+ dbus send
13+ bus=system
14+ path=/org/freedesktop/RealtimeKit1
15+ interface=org.freedesktop.RealtimeKit1
16+ member={MakeThreadRealtime,MakeThreadHighPriority}
17+ peer=(name=org.freedesktop.RealtimeKit1),
18+
19+ unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
20+ ptrace (read,trace) peer=@{profile_name},
21+
22 /usr/bin/pulseaudio mixr,
23
24 /dev/null rw,
25@@ -19,22 +30,25 @@
26 /etc/udev/udev.conf r,
27 /etc/timidity/.pulse_cookie w,
28
29- @{HOME}/.esd_auth rwk,
30- @{HOME}/.pulse-cookie rwk,
31- @{HOME}/.config/pulse/cookie rwk,
32- @{HOME}/{.config/pulse,.pulse}/ rw,
33- @{HOME}/{.config/pulse,.pulse}/* rw,
34+ owner @{HOME}/.esd_auth rwk,
35+ owner @{HOME}/.pulse-cookie rwk,
36+ owner @{HOME}/.config/pulse/cookie rwk,
37+ owner @{HOME}/{.config/pulse,.pulse}/ rw,
38+ owner @{HOME}/{.config/pulse,.pulse}/* rw,
39
40- /run/pulse/ rw,
41- /run/pulse/.pulse-cookie rwk,
42- /run/pulse/dbus-socket rwk,
43- /run/pulse/native rwk,
44- /run/pulse/pid rwk,
45+ owner /run/pulse/ rw,
46+ owner /run/pulse/.pulse-cookie rwk,
47+ owner /run/pulse/dbus-socket rwk,
48+ owner /run/pulse/native rwk,
49+ owner /run/pulse/pid rwk,
50+ owner /run/user/[0-9]*/pulse/ rw,
51+ owner /run/user/[0-9]*/pulse/* rwk,
52 /run/udev/data/+sound:card* r,
53+ /run/udev/data/c116:[0-9]* r,
54
55 # logind
56- /run/systemd/users/* r,
57- /run/user/*/dconf/user k,
58+ /run/systemd/users/[0-9]* r,
59+ /run/user/[0-9]*/dconf/user k,
60
61 /sys/bus/ r,
62 /sys/class/ r,
63@@ -46,7 +60,7 @@
64 /sys/devices/virtual/dmi/id/bios_vendor r,
65 /sys/devices/virtual/dmi/id/board_vendor r,
66 /sys/devices/virtual/dmi/id/sys_vendor r,
67- /sys/devices/**/sound/card[0-9]*/uevent r,
68+ /sys/devices/virtual/sound/**/uevent r,
69
70 /usr/share/alsa/** r,
71 /usr/share/applications/ r,
72@@ -61,10 +75,9 @@
73
74 owner /var/lib/lightdm/.Xauthority r,
75 owner /var/lib/lightdm/.esd_auth rwk,
76- owner /var/lib/lightdm/.pulse-cookie rwk,
77- owner /var/lib/lightdm/.pulse/ rw,
78- owner /var/lib/lightdm/.pulse/* w,
79- owner /var/lib/lightdm/.pulse/* r,
80+ owner /var/lib/lightdm/.config/pulse/cookie rwk,
81+ owner /var/lib/lightdm/.config/pulse/ rw,
82+ owner /var/lib/lightdm/.config/pulse/* rw,
83
84 # are these needed?
85 /var/lib/pulse/ rw,
86@@ -72,9 +85,9 @@
87 /var/lib/pulse/*-default-source rw,
88 /var/lib/pulse/*.tdb rw,
89
90- @{PROC}/[0-9]*/fd/ r,
91- @{PROC}/[0-9]*/maps r,
92- @{PROC}/[0-9]*/stat r,
93+ owner @{PROC}/@{pid}/fd/ r,
94+ owner @{PROC}/@{pid}/maps r,
95+ owner @{PROC}/@{pid}/stat r,
96
97 owner /tmp/pulse-*/pid rwk,
98 owner /tmp/pulse-*/native rwk,
99@@ -83,11 +96,10 @@
100 owner /tmp/orcexec.* mrw,
101 owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
102 # needed if /tmp is mounted noexec:
103- owner @{HOME}/orcexec.* mr,
104+ owner @{HOME}/orcexec.* mrw,
105
106- # replace with @{pid}
107- owner /tmp/.esd-[0-9]*/ rw,
108- owner /tmp/.esd-[0-9]*/socket rw,
109+ owner /tmp/.esd-@{pid}*/ rw,
110+ owner /tmp/.esd-@{pid}*/socket rw,
111
112 profile /usr/lib/pulseaudio/pulse/gconf-helper {
113 #include <abstractions/base>

Subscribers

People subscribed via source and target branches

to status/vote changes: