apparmor-easyprof-ubuntu

Merge lp:~tyhicks/apparmor-easyprof-ubuntu/lp1260103 into lp:apparmor-easyprof-ubuntu

  1. lp1260103
  2. Merge into trunk
Proposed by Tyler Hicks
Status: Merged
Approved by: Jamie Strandboge
Approved revision: 50
Merged at revision: 53
Proposed branch: lp:~tyhicks/apparmor-easyprof-ubuntu/lp1260103
Merge into: lp:apparmor-easyprof-ubuntu
Diff against target: 81 lines (+29/-4) (has conflicts)
2 files modified
data/policygroups/ubuntu/1.1/webview (+18/-4)
debian/changelog (+11/-0)
Text conflict in debian/changelog
To merge this branch: bzr merge lp:~tyhicks/apparmor-easyprof-ubuntu/lp1260103
Reviewer Review Type Date Requested Status
Olivier Tilloy (community) Approve
Tyler Hicks (community) Abstain
Jamie Strandboge Pending
Review via email: mp+303592@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Tyler Hicks (tyhicks) wrote :

I haven't had a chance to test this yet but it the changes are consistent with the paths constructed by https://git.launchpad.net/oxide/commit/?id=9bbf87e80b49e6abcc9419f142655a4ce2fc0638. I'll be sure to test before actually merging into lp:apparmor-easyprof-ubuntu.

Revision history for this message
Olivier Tilloy (osomon) wrote :

Although I haven’t actually tested, that looks mostly good to me, and is consistent with the changeset in oxide.

Note that this change was introduced in the 1.17 branch of oxide, so you don’t want to make the change effective in apparmor-easyprof-ubuntu until oxide 1.17 is released (or the old rule should be kept temporarily until 1.17 is released).

Note that /dev/shm/@{APP_PKGNAME}.oxide is a directory under which oxide will write files. I’m no apparmor expert, but shouldn’t the rule end with a '/' to reflect that?

Revision history for this message
Tyler Hicks (tyhicks) wrote :

You're correct on both points. I shouldn't remove the old rules yet and I need to grant access to the directory contents. I'll adjust this merge request later today.

review: Needs Fixing
Revision history for this message
Tyler Hicks (tyhicks) :
review: Abstain
Revision history for this message
Tyler Hicks (tyhicks) wrote :

@osomon can you have another look? Thanks!

Revision history for this message
Olivier Tilloy (osomon) wrote :

That looks good to me.

I’ve tried to test the change by rebuilding the package and installing oxide 1.17 from https://launchpad.net/~oxide-builds/+archive/ubuntu/oxide-next-for-stable-phone-overlay/ on a phone, only to realize that APP_PKGNAME is not an environment variable that is being set anywhere.
According to https://developer.ubuntu.com/en/phone/platform/guides/app-confinement/, its value can be inferred like so:

  APP_PKGNAME = APP_ID.split('_')[0]

review: Approve
lp:~tyhicks/apparmor-easyprof-ubuntu/lp1260103 updated
50. By Tyler Hicks

ubuntu/webview: update to allow access to the new app-specific shared
memory files that will be used by Oxide 1.17.5, 1.18, and newer
(LP: #1260103)

Revision history for this message
Tyler Hicks (tyhicks) wrote :

A small update to mention the exact Oxide version numbers (1.17.5 and 1.18) that should contain the shm changes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'data/policygroups/ubuntu/1.1/webview'
--- data/policygroups/ubuntu/1.1/webview 2016-08-23 08:26:53 +0000
+++ data/policygroups/ubuntu/1.1/webview 2016-08-25 17:04:28 +0000
@@ -18,8 +18,8 @@
18 # chrome_sandbox. Ideally, chrome-sandbox and oxide-renderer would ship18 # chrome_sandbox. Ideally, chrome-sandbox and oxide-renderer would ship
19 # as standalone profiles and we would just Px/px to them, but this is not19 # as standalone profiles and we would just Px/px to them, but this is not
20 # practical because oxide-renderer needs to access app-specific files20 # practical because oxide-renderer needs to access app-specific files
21 # and shm files (when 1260103 is fixed). For now, have a single helper21 # and shm files. For now, have a single helper profile for chrome-sandbox and
22 # profile for chrome-sandbox and oxide-renderer.22 # oxide-renderer.
23 /usr/lib/@{multiarch}/oxide-qt/oxide-renderer Cxmr -> oxide_helper,23 /usr/lib/@{multiarch}/oxide-qt/oxide-renderer Cxmr -> oxide_helper,
24 /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox cxmr -> oxide_helper,24 /usr/lib/@{multiarch}/oxide-qt/chrome-sandbox cxmr -> oxide_helper,
2525
@@ -74,15 +74,22 @@
74 /var/tmp/ r,74 /var/tmp/ r,
7575
76 # LP: #126010376 # LP: #1260103
77 # old oxide shm file which is not app-specific
78 #
79 # TODO: Remove rule once we're only using oxide 1.17.5, 1.18, or newer
77 owner /{dev,run}/shm/.org.chromium.Chromium.* rwk,80 owner /{dev,run}/shm/.org.chromium.Chromium.* rwk,
7881
82 # app-specific oxide shm file, as used in oxide 1.17.5, 1.18, and newer
83 owner /{dev,run}/shm/@{APP_PKGNAME}.oxide/ rw,
84 owner /{dev,run}/shm/@{APP_PKGNAME}.oxide/** rwk,
85
79 # LP: #1260090 - when this bug is fixed, oxide_renderer can become a86 # LP: #1260090 - when this bug is fixed, oxide_renderer can become a
80 # child profile of this profile, then we can use Cx here and Px in87 # child profile of this profile, then we can use Cx here and Px in
81 # chrome_sandbox. Ideally, chrome-sandbox and oxide-renderer would ship88 # chrome_sandbox. Ideally, chrome-sandbox and oxide-renderer would ship
82 # as standalone profiles and we would just Px/px to them, but this is not89 # as standalone profiles and we would just Px/px to them, but this is not
83 # practical because oxide-renderer needs to access app-specific files90 # practical because oxide-renderer needs to access app-specific files
84 # and shm files (when 1260103 is fixed). For now, have a single helper91 # and shm files. For now, have a single helper profile for chrome-sandbox and
85 # profile for chrome-sandbox and oxide-renderer.92 # oxide-renderer.
86 profile oxide_helper (attach_disconnected) {93 profile oxide_helper (attach_disconnected) {
87 #94 #
88 # Shared by chrome-sandbox and oxide-helper95 # Shared by chrome-sandbox and oxide-helper
@@ -156,8 +163,15 @@
156 owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwkl,163 owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwkl,
157164
158 # LP: #1260103165 # LP: #1260103
166 # old oxide shm file which is not app-specific
167 #
168 # TODO: Remove rule once we're only using oxide 1.17.5, 1.18, or newer
159 /{dev,run}/shm/.org.chromium.Chromium.* rwk,169 /{dev,run}/shm/.org.chromium.Chromium.* rwk,
160170
171 # app-specific oxide shm file, as used in oxide 1.17.5, 1.18, and newer
172 /{dev,run}/shm/@{APP_PKGNAME}.oxide/ rw,
173 /{dev,run}/shm/@{APP_PKGNAME}.oxide/** rwk,
174
161 # LP: #1260048175 # LP: #1260048
162 owner @{HOME}/.pki/nssdb/ rw,176 owner @{HOME}/.pki/nssdb/ rw,
163 owner @{HOME}/.pki/nssdb/** rwk,177 owner @{HOME}/.pki/nssdb/** rwk,
164178
=== modified file 'debian/changelog'
--- debian/changelog 2016-08-25 13:24:01 +0000
+++ debian/changelog 2016-08-25 17:04:28 +0000
@@ -1,3 +1,4 @@
1<<<<<<< TREE
1apparmor-easyprof-ubuntu (16.10.2) UNRELEASED; urgency=medium2apparmor-easyprof-ubuntu (16.10.2) UNRELEASED; urgency=medium
23
3 [ You-Sheng Yang ]4 [ You-Sheng Yang ]
@@ -5,6 +6,16 @@
56
6 -- Jamie Strandboge <jamie@ubuntu.com> Thu, 25 Aug 2016 08:23:06 -05007 -- Jamie Strandboge <jamie@ubuntu.com> Thu, 25 Aug 2016 08:23:06 -0500
78
9=======
10apparmor-easyprof-ubuntu (16.10.2) UNRELEASED; urgency=medium
11
12 * ubuntu/webview: update to allow access to the new app-specific shared
13 memory files that will be used by Oxide 1.17.5, 1.18, and newer
14 (LP: #1260103)
15
16 -- Tyler Hicks <tyhicks@canonical.com> Thu, 25 Aug 2016 12:03:15 -0500
17
18>>>>>>> MERGE-SOURCE
8apparmor-easyprof-ubuntu (16.10.1) yakkety; urgency=medium19apparmor-easyprof-ubuntu (16.10.1) yakkety; urgency=medium
920
10 * add 16.10 policy21 * add 16.10 policy

Subscribers

People subscribed via source and target branches