snapweb

Merge lp:~sergiusens/snapweb/policies into lp:~snappy-dev/snapweb/trunk

policies
Merge into trunk

Proposed by Sergio Schvezov on 2015-05-08

Status:	Merged
Approved by:	John Lenton on 2015-05-08
Approved revision:	140
Merged at revision:	140
Proposed branch:	lp:~sergiusens/snapweb/policies
Merge into:	lp:~snappy-dev/snapweb/trunk
Diff against target:	24 lines (+5/-0) 1 file modified pkg/meta/snappyd.profile (+5/-0)
To merge this branch:	bzr merge lp:~sergiusens/snapweb/policies
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
John Lenton		2015-05-08	Approve on 2015-05-08
Review via email: mp+258686@code.launchpad.net

Commit Message

Allow installing frameworks with policies

Description of the Change

Prevent these:
[ 234.484756] audit: type=1400 audit(1431115470.687:10): apparmor="DENIED" operation="symlink" profile="webdm_snappyd_0.6.1" name="/var/lib/apparmor/snappy/profiles/hello-dbus-fwk_srv_1.0.0" pid=737 comm="snappyd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0
[ 234.487234] audit: type=1400 audit(1431115470.687:11): apparmor="DENIED" operation="exec" profile="webdm_snappyd_0.6.1" name="/usr/bin/aa-profile-hook" pid=1146 comm="sh" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[ 706.448581] audit: type=1400 audit(1431115942.648:16): apparmor="DENIED" operation="mknod" profile="webdm_snappyd_0.6.1" name="/etc/dbus-1/system.d/hello-dbus-fwk_srv_1.0.0.conf" pid=1355 comm="snappyd" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

John Lenton (chipaca) on 2015-05-08:

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Sergio Schvezov

Snappy Developers

1	=== modified file 'pkg/meta/snappyd.profile'
2	--- pkg/meta/snappyd.profile 2015-05-01 15:37:50 +0000
3	+++ pkg/meta/snappyd.profile 2015-05-08 20:16:08 +0000
4	@@ -75,8 +75,11 @@
5	/usr/bin/debsig-verify Uxr,
6	/usr/bin/sc-filtergen Uxr,
7	/usr/bin/aa-clickhook Uxr,
8	+ /usr/bin/aa-profile-hook Uxr,
9
10	# snappy requirements for services
11	+ /etc/dbus-1/system.d/ r,
12	+ /etc/dbus-1/system.d/** rwl,
13	/etc/mime.types r,
14	/usr/share/click/hooks/ r,
15	/usr/share/click/hooks/** r,
16	@@ -84,6 +87,8 @@
17	/etc/systemd/system/** rwl,
18	/var/lib/apparmor/clicks/ r,
19	/var/lib/apparmor/clicks/** rwl,
20	+ /var/lib/apparmor/snappy/ r,
21	+ /var/lib/apparmor/snappy/** rwl,
22	/bin/systemctl Uxr,
23
24	capability net_admin,