apparmor-easyprof-ubuntu

Merge lp:~ted/apparmor-easyprof-ubuntu/vivid-ual-mir-helper into lp:~ubuntu-security/apparmor-easyprof-ubuntu/1.3-stable-phone-overlay

  1. vivid-ual-mir-helper
  2. Merge into 1.3-stable-phone-overlay
Proposed by Ted Gould
Status: Merged
Merged at revision: 37
Proposed branch: lp:~ted/apparmor-easyprof-ubuntu/vivid-ual-mir-helper
Merge into: lp:~ubuntu-security/apparmor-easyprof-ubuntu/1.3-stable-phone-overlay
Diff against target: 86 lines (+54/-0)
3 files modified
data/templates/ubuntu/1.0/ubuntu-sdk (+18/-0)
data/templates/ubuntu/1.1/ubuntu-sdk (+18/-0)
data/templates/ubuntu/1.3/ubuntu-sdk (+18/-0)
To merge this branch: bzr merge lp:~ted/apparmor-easyprof-ubuntu/vivid-ual-mir-helper
Reviewer Review Type Date Requested Status
Jamie Strandboge Pending
Review via email: mp+303602@code.launchpad.net

This proposal supersedes a proposal from 2016-08-22.

Commit message

Backport UAL Mir socket helper stanzas

To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'data/templates/ubuntu/1.0/ubuntu-sdk'
2--- data/templates/ubuntu/1.0/ubuntu-sdk 2016-06-21 11:00:20 +0000
3+++ data/templates/ubuntu/1.0/ubuntu-sdk 2016-08-22 17:04:21 +0000
4@@ -188,6 +188,24 @@
5 member="Open"
6 peer=(label=unconfined),
7
8+ # Untrusted Helpers are 3rd party apps that run in a different confinement
9+ # context and are in a separate Mir session from the calling app (eg, an
10+ # app that uses a content provider from another app). These helpers use
11+ # Trusted Prompt Sessions to overlay their window over the calling app and
12+ # need to get the Mir socket that was setup by the associated trusted helper
13+ # (eg, content-hub). Typical consumers are content-hub providers,
14+ # pay-service, url-dispatcher and possibly online-accounts.
15+ # LP: #1462492 - this rule is suboptimal and should not be needed once we
16+ # move to socket activation or FD passing
17+ dbus (receive, send)
18+ path=/com/canonical/UbuntuAppLaunch/@{APP_ID_DBUS}/*
19+ interface="com.canonical.UbuntuAppLaunch.SocketDemangler"
20+ member="GetMirSocket"
21+ bus=session
22+ peer=(label=unconfined),
23+ # Allow access to the socket-demangler (needed for the above)
24+ /usr/lib/@{multiarch}/ubuntu-app-launch/socket-demangler rmix,
25+
26 # TODO: finetune this
27 dbus (send)
28 bus=session
29
30=== modified file 'data/templates/ubuntu/1.1/ubuntu-sdk'
31--- data/templates/ubuntu/1.1/ubuntu-sdk 2016-06-21 11:00:20 +0000
32+++ data/templates/ubuntu/1.1/ubuntu-sdk 2016-08-22 17:04:21 +0000
33@@ -183,6 +183,24 @@
34 path=/com/canonical/unity/launcher/@{APP_ID_DBUS}
35 peer=(label=unconfined),
36
37+ # Untrusted Helpers are 3rd party apps that run in a different confinement
38+ # context and are in a separate Mir session from the calling app (eg, an
39+ # app that uses a content provider from another app). These helpers use
40+ # Trusted Prompt Sessions to overlay their window over the calling app and
41+ # need to get the Mir socket that was setup by the associated trusted helper
42+ # (eg, content-hub). Typical consumers are content-hub providers,
43+ # pay-service, url-dispatcher and possibly online-accounts.
44+ # LP: #1462492 - this rule is suboptimal and should not be needed once we
45+ # move to socket activation or FD passing
46+ dbus (receive, send)
47+ path=/com/canonical/UbuntuAppLaunch/@{APP_ID_DBUS}/*
48+ interface="com.canonical.UbuntuAppLaunch.SocketDemangler"
49+ member="GetMirSocket"
50+ bus=session
51+ peer=(label=unconfined),
52+ # Allow access to the socket-demangler (needed for the above)
53+ /usr/lib/@{multiarch}/ubuntu-app-launch/socket-demangler rmix,
54+
55 # TODO: finetune this
56 dbus (send)
57 bus=session
58
59=== modified file 'data/templates/ubuntu/1.3/ubuntu-sdk'
60--- data/templates/ubuntu/1.3/ubuntu-sdk 2016-06-21 11:00:20 +0000
61+++ data/templates/ubuntu/1.3/ubuntu-sdk 2016-08-22 17:04:21 +0000
62@@ -183,6 +183,24 @@
63 path=/com/canonical/unity/launcher/@{APP_ID_DBUS}
64 peer=(label=unconfined),
65
66+ # Untrusted Helpers are 3rd party apps that run in a different confinement
67+ # context and are in a separate Mir session from the calling app (eg, an
68+ # app that uses a content provider from another app). These helpers use
69+ # Trusted Prompt Sessions to overlay their window over the calling app and
70+ # need to get the Mir socket that was setup by the associated trusted helper
71+ # (eg, content-hub). Typical consumers are content-hub providers,
72+ # pay-service, url-dispatcher and possibly online-accounts.
73+ # LP: #1462492 - this rule is suboptimal and should not be needed once we
74+ # move to socket activation or FD passing
75+ dbus (receive, send)
76+ path=/com/canonical/UbuntuAppLaunch/@{APP_ID_DBUS}/*
77+ interface="com.canonical.UbuntuAppLaunch.SocketDemangler"
78+ member="GetMirSocket"
79+ bus=session
80+ peer=(label=unconfined),
81+ # Allow access to the socket-demangler (needed for the above)
82+ /usr/lib/@{multiarch}/ubuntu-app-launch/socket-demangler rmix,
83+
84 # TODO: finetune this
85 dbus (send)
86 bus=session

Subscribers

People subscribed via source and target branches