apparmor-easyprof-ubuntu

Merge lp:~tyhicks/apparmor-easyprof-ubuntu/lp1260103 into lp:apparmor-easyprof-ubuntu

  1. lp1260103
  2. Merge into trunk
Proposed by Tyler Hicks
Status: Merged
Approved by: Jamie Strandboge
Approved revision: 50
Merged at revision: 53
Proposed branch: lp:~tyhicks/apparmor-easyprof-ubuntu/lp1260103
Merge into: lp:apparmor-easyprof-ubuntu
Diff against target: 81 lines (+29/-4) (has conflicts)
2 files modified
data/policygroups/ubuntu/1.1/webview (+18/-4)
debian/changelog (+11/-0)
Text conflict in debian/changelog
To merge this branch: bzr merge lp:~tyhicks/apparmor-easyprof-ubuntu/lp1260103
Reviewer Review Type Date Requested Status
Olivier Tilloy (community) Approve
Tyler Hicks (community) Abstain
Jamie Strandboge Pending
Review via email: mp+303592@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Tyler Hicks (tyhicks) wrote :

I haven't had a chance to test this yet but it the changes are consistent with the paths constructed by https://git.launchpad.net/oxide/commit/?id=9bbf87e80b49e6abcc9419f142655a4ce2fc0638. I'll be sure to test before actually merging into lp:apparmor-easyprof-ubuntu.

Revision history for this message
Olivier Tilloy (osomon) wrote :

Although I haven’t actually tested, that looks mostly good to me, and is consistent with the changeset in oxide.

Note that this change was introduced in the 1.17 branch of oxide, so you don’t want to make the change effective in apparmor-easyprof-ubuntu until oxide 1.17 is released (or the old rule should be kept temporarily until 1.17 is released).

Note that /dev/shm/@{APP_PKGNAME}.oxide is a directory under which oxide will write files. I’m no apparmor expert, but shouldn’t the rule end with a '/' to reflect that?

Revision history for this message
Tyler Hicks (tyhicks) wrote :

You're correct on both points. I shouldn't remove the old rules yet and I need to grant access to the directory contents. I'll adjust this merge request later today.

review: Needs Fixing
Revision history for this message
Tyler Hicks (tyhicks) :
review: Abstain
Revision history for this message
Tyler Hicks (tyhicks) wrote :

@osomon can you have another look? Thanks!

Revision history for this message
Olivier Tilloy (osomon) wrote :

That looks good to me.

I’ve tried to test the change by rebuilding the package and installing oxide 1.17 from https://launchpad.net/~oxide-builds/+archive/ubuntu/oxide-next-for-stable-phone-overlay/ on a phone, only to realize that APP_PKGNAME is not an environment variable that is being set anywhere.
According to https://developer.ubuntu.com/en/phone/platform/guides/app-confinement/, its value can be inferred like so:

  APP_PKGNAME = APP_ID.split('_')[0]

review: Approve
lp:~tyhicks/apparmor-easyprof-ubuntu/lp1260103 updated
50. By Tyler Hicks

ubuntu/webview: update to allow access to the new app-specific shared
memory files that will be used by Oxide 1.17.5, 1.18, and newer
(LP: #1260103)

Revision history for this message
Tyler Hicks (tyhicks) wrote :

A small update to mention the exact Oxide version numbers (1.17.5 and 1.18) that should contain the shm changes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'data/policygroups/ubuntu/1.1/webview'
2--- data/policygroups/ubuntu/1.1/webview 2016-08-23 08:26:53 +0000
3+++ data/policygroups/ubuntu/1.1/webview 2016-08-25 17:04:28 +0000
4@@ -18,8 +18,8 @@
5 # chrome_sandbox. Ideally, chrome-sandbox and oxide-renderer would ship
6 # as standalone profiles and we would just Px/px to them, but this is not
7 # practical because oxide-renderer needs to access app-specific files
8- # and shm files (when 1260103 is fixed). For now, have a single helper
9- # profile for chrome-sandbox and oxide-renderer.
10+ # and shm files. For now, have a single helper profile for chrome-sandbox and
11+ # oxide-renderer.
12 /usr/lib/@{multiarch}/oxide-qt/oxide-renderer Cxmr -> oxide_helper,
13 /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox cxmr -> oxide_helper,
14
15@@ -74,15 +74,22 @@
16 /var/tmp/ r,
17
18 # LP: #1260103
19+ # old oxide shm file which is not app-specific
20+ #
21+ # TODO: Remove rule once we're only using oxide 1.17.5, 1.18, or newer
22 owner /{dev,run}/shm/.org.chromium.Chromium.* rwk,
23
24+ # app-specific oxide shm file, as used in oxide 1.17.5, 1.18, and newer
25+ owner /{dev,run}/shm/@{APP_PKGNAME}.oxide/ rw,
26+ owner /{dev,run}/shm/@{APP_PKGNAME}.oxide/** rwk,
27+
28 # LP: #1260090 - when this bug is fixed, oxide_renderer can become a
29 # child profile of this profile, then we can use Cx here and Px in
30 # chrome_sandbox. Ideally, chrome-sandbox and oxide-renderer would ship
31 # as standalone profiles and we would just Px/px to them, but this is not
32 # practical because oxide-renderer needs to access app-specific files
33- # and shm files (when 1260103 is fixed). For now, have a single helper
34- # profile for chrome-sandbox and oxide-renderer.
35+ # and shm files. For now, have a single helper profile for chrome-sandbox and
36+ # oxide-renderer.
37 profile oxide_helper (attach_disconnected) {
38 #
39 # Shared by chrome-sandbox and oxide-helper
40@@ -156,8 +163,15 @@
41 owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwkl,
42
43 # LP: #1260103
44+ # old oxide shm file which is not app-specific
45+ #
46+ # TODO: Remove rule once we're only using oxide 1.17.5, 1.18, or newer
47 /{dev,run}/shm/.org.chromium.Chromium.* rwk,
48
49+ # app-specific oxide shm file, as used in oxide 1.17.5, 1.18, and newer
50+ /{dev,run}/shm/@{APP_PKGNAME}.oxide/ rw,
51+ /{dev,run}/shm/@{APP_PKGNAME}.oxide/** rwk,
52+
53 # LP: #1260048
54 owner @{HOME}/.pki/nssdb/ rw,
55 owner @{HOME}/.pki/nssdb/** rwk,
56
57=== modified file 'debian/changelog'
58--- debian/changelog 2016-08-25 13:24:01 +0000
59+++ debian/changelog 2016-08-25 17:04:28 +0000
60@@ -1,3 +1,4 @@
61+<<<<<<< TREE
62 apparmor-easyprof-ubuntu (16.10.2) UNRELEASED; urgency=medium
63
64 [ You-Sheng Yang ]
65@@ -5,6 +6,16 @@
66
67 -- Jamie Strandboge <jamie@ubuntu.com> Thu, 25 Aug 2016 08:23:06 -0500
68
69+=======
70+apparmor-easyprof-ubuntu (16.10.2) UNRELEASED; urgency=medium
71+
72+ * ubuntu/webview: update to allow access to the new app-specific shared
73+ memory files that will be used by Oxide 1.17.5, 1.18, and newer
74+ (LP: #1260103)
75+
76+ -- Tyler Hicks <tyhicks@canonical.com> Thu, 25 Aug 2016 12:03:15 -0500
77+
78+>>>>>>> MERGE-SOURCE
79 apparmor-easyprof-ubuntu (16.10.1) yakkety; urgency=medium
80
81 * add 16.10 policy

Subscribers

People subscribed via source and target branches