ubuntu/+source/apparmor-easyprof-ubuntu:ubuntu/saucy-devel

Last commit made on 2013-10-15
Get this branch:
git clone -b ubuntu/saucy-devel https://git.launchpad.net/ubuntu/+source/apparmor-easyprof-ubuntu
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/saucy-devel
Repository:
lp:ubuntu/+source/apparmor-easyprof-ubuntu

Recent commits

74710e9... by Jamie Strandboge on 2013-10-15

Import patches-unapplied version 1.0.40 to ubuntu/saucy-proposed

Imported using git-ubuntu import.

Changelog parent: 761d791a3e42773d87e9132fe55436b39360ac4b

New changelog entries:
  * unconfined template: updates for terminal app
    - due to AF_UNIX use attach_disconnected
    - allow mount, remount and umount

761d791... by Jamie Strandboge on 2013-10-14

Import patches-unapplied version 1.0.39 to ubuntu/saucy-proposed

Imported using git-ubuntu import.

Changelog parent: 8ea0c96d2a1024c85cc3aeaca1cf72b2ed0698d4

New changelog entries:
  * friends: add dbus receive to interface=com.canonical.Dee.Peer
  * ubuntu-* templates:
    - add 'r' for ~/.config/user-dirs.dirs
    - remove temporary vs-thumb /usr/share access now that it is fixed
      (LP: #1235325)
  * calendar: also allow CalendarView (LP: #1239073)

8ea0c96... by Jamie Strandboge on 2013-10-09

Import patches-unapplied version 1.0.38 to ubuntu/saucy-proposed

Imported using git-ubuntu import.

Changelog parent: 9fd8e64c37e9782a5e52901820b5499b5220d353

New changelog entries:
  * ubuntu-* templates: move /run/shm/hybris_shm_data access out of the
    camera policy group into the templates since a recent hybris change
    requires this in all apps (LP: #1237539)

9fd8e64... by Jamie Strandboge on 2013-10-09

Import patches-unapplied version 1.0.37 to ubuntu/saucy-proposed

Imported using git-ubuntu import.

Changelog parent: 73bee1ff7f056da8da1c26916db267c96746e45c

New changelog entries:
  * hardware/graphics.d/apparmor-easyprof-ubuntu_grouper: allow 'rw' to
    /dev/knvmap (LP: #1237436)

73bee1f... by Jamie Strandboge on 2013-10-08

Import patches-unapplied version 1.0.36 to ubuntu/saucy-proposed

Imported using git-ubuntu import.

Changelog parent: ffd87f17cb07281cf91b5080da44b498c1be9c16

New changelog entries:
  * ubuntu-* templates:
    - due to AF_UNIX use attach_disconnected and allow rw on
      /dev/socket/property_service (LP: #1208988)
    - add temporary workaround to use /tmp/mir_socket (LP: 1236912)

ffd87f1... by Jamie Strandboge on 2013-10-07

Import patches-unapplied version 1.0.35 to ubuntu/saucy-proposed

Imported using git-ubuntu import.

Changelog parent: be5df0993069a2567eaca3b89cad5a5fda9cccb3

New changelog entries:
  * apparmor-easyprof-ubuntu.install: install data/hardware/*, thus allowing
    porters, OEMs, etc to ship their own policy without having to modify this
    package (LP: #1197133)
  * add data/hardware/graphics.d/* and data/hardware/audio.d/*, namespaced to
    this package. We will move these out to lxc-android-config later
  * tests/test-data.py: adjust to test data/hardware/*
  * accounts: move to reserved status until LP: 1230091 is fixed
  * calendar: remove workaround rule for gio DBus path (LP: #1227295)
  * add usermetrics policy group so apps can update the infographic
  * ubuntu-* templates:
    - allow StartServiceByName on the system bus too. This is needed by the
      new usermetrics policy group and we will presumably have more going
      forward (eg location)
    - account for /org/freedesktop/dbus object path. This seems to be used by
      the python DBus bindings (eg, friends)
    - move hardware specific accesses out of the templates into
      hardware/graphics.d/ in preparation of the move to shipping these in
      lxc-android-config (note, this doesn't change apparmor policy in any
      way)
    - add 'r' to dbus system bus socket (LP: #1208988)
    - add ixr access to thumbnailer helper (LP: #1234543)
    - finetune HUD access
    - don't use ibus abstraction but instead use 'r' access for
      owner @{HOME}/.config/ibus/**
    - don't use freedesktop.org abstraction but instead add read accesses
      for /usr/share/icons and various mime files
    - updates for new gstreamer
      - move in gstreamer accesses from audio policy groupd due to hybris
  * ubuntu-sdk template:
    - remove workaround paths now that ubuntu-ui-toolkit is using
      QCoreApplication::applicationName based on MainView's applicationName
      (LP: #1197056, #1197051, #1224126, LP: #1231863)
  * ubuntu-webapp template:
    - allow read access to /usr/share/unity-webapps/userscripts/**
    - allow rix to gst-plugin-scanner
  * add reserved friends policy group (reserved because it needs integration
    with trust-store to be used by untrusted apps)
  * remove peer from receive DBus rules in the ubuntu-* templates and the
    contacts, history, and location policy groups (LP: #1233895)
  * audio:
    - move gstreamer stuff out to templates since hybris pulls it in for all
      apps
    - include hardware/audio.d for hardware specific accesses

be5df09... by Jamie Strandboge on 2013-09-24

Import patches-unapplied version 1.0.34 to ubuntu/saucy-proposed

Imported using git-ubuntu import.

Changelog parent: 7933aa7a0f88f6ebc5981e6759a4a0341d6bd04f

New changelog entries:
  * ubuntu-* templates: allow read access to themes in /custom (LP: #1229471)

7933aa7... by Jamie Strandboge on 2013-09-20

Import patches-unapplied version 1.0.33 to ubuntu/saucy-proposed

Imported using git-ubuntu import.

Changelog parent: ea692a20f655403b43f78bea0bd14df1ef91d9c9

New changelog entries:
  * ubuntu-webapp: allow reexec for webbrowser-app to handle webapps launched
    via upstart-app-launch (LP: #1228236)

ea692a2... by Jamie Strandboge on 2013-09-18

Import patches-unapplied version 1.0.32 to ubuntu/saucy-proposed

Imported using git-ubuntu import.

Changelog parent: 1c00942c74b085c67772d6adb011ff8bfb54ef07

New changelog entries:
  * accounts:
    - needs lock ('k') access to .config/libaccounts-glib/accounts.db and read
      access to .config/libaccounts-glib/accounts.db*.
    - read access to /usr/share/accounts/**
    - deny write to .config/libaccounts-glib/accounts.db* (LP: #1220552)
  * refine audio policy group:
    - remove /tmp/ accesses now that TMPDIR is set by the sandbox
    - allow access to only the native socket (ie, disallow dbus-socket (only
      needed by pacmd), access to pid and the cli debugging socket)
      (LP: #1211380)
    - remove 'w' access to /{,var/}run/user/*/pulse/ - this should already
      exist when click apps run
    - remove /dev/binder, no longer needed now that we use audio HAL and
      pulseaudio
    - silence the denial for creating ~/.gstreamer-0.10/ if it doesn't exist
  * camera:
    - add rw for /dev/ashmem. This will go away when camera moves to HAL
    - rw /run/shm/hybris_shm_data
    - add read on /android/system/media/audio/ui/camera_click.ogg
  * connectivity:
    - add policy as used by QML's QtSystemInfo and also Qt's QHostAddress,
      QNetworkInterface
    - add commented out rules for ofono (LP: 1226844)
  * finalize content_exchange policy for the content-hub. We now have two
    different policy groups: content_exchange for requesting/importing data
    and content_exchange_source for providing/exporting data
  * microphone:
    - remove /dev/binder, no longer needed now that we use audio HAL and
      pulseaudio
    - add gstreamer and pulseaudio accesses and silence ALSA denials (we
      force pulseaudio). Eventually we should consolidate these and the ones
      in audio into a separate abstraction.
  * networking
    - explicitly deny access to NetworkManager. This technically should be
      needed at all, but depending on how apps connect, the lowlevel
      libraries get NM involved. Do the same for ofono
    - add access to the download manager (LP: #1227860)
  * video: add gstreamer accesses. Eventually we should consolidate these
    and the ones in audio into a gstreamer abstraction
  * add the following new reserved policy groups (reserved because they need
    integration with trust-store to be used by untrusted apps):
    - calendar - to access /org/gnome/evolution/dataserver/SourceManager,
      /org/gnome/evolution/dataserver/CalendarFactory and
      /org/gnome/evolution/dataserver/Calendar/**
    - contacts - to access com.canonical.pim and org.freedesktop.Telepathy.
      Note, org.freedesktop.Telepathy will go away when LP: 1227818 is fixed
    - history - to access com.canonical.HistoryService
  * remove unused policy groups. This would normally constitute a new minor
    version, but no one is using these yet. When there is an API to use for
    this sort of thing, we can reintroduce them
    - read_connectivity_details
    - bluetooth (no supported Qt5 API for these per the SDK team)
    - nfc (no supported Qt5 API for these per the SDK team)
  * ubuntu* templates:
    - remove workaround HUD rule for DBus access to hud/applications/* now
      that the HUD is fixed.
    - allow connecting to dbus-daemon system daemon (org.freedesktop.DBus)
      for Hello, GetNameOwner, NameHasOwner, AddMatch and RemoveMatch which
      are all currently used when connecting to the network depending on the
      application API used. Allow the accesses to silence the denials: they
      are harmless and allows us to add more allow rules for other policy
      groups for system bus APIs down the line (as opposed to if we
      explicitly denied the accesses to org.freedesktop.DBus).
    - add more Nexus 7 accesses
  * ubuntu-sdk template:
    - remove workaround access for /tmp/*.sci now that TMPDIR is set
      (LP: #1197047)
    - remove workaround access for /var/tmp/etilqs_* now that TMPDIR is set
      (LP: #1197049)
    - add support for HTC vision thanks to Florian Will (LP: #1214975)
  * ubuntu-webapp template: use only application specific directories rather
    then the global webbrowser-app one (LP: #1226085)
  * debian/rules: enable tests during build
  * debian/control: Build-Depends on python3-minimal (for tests)
  * apparmor-easyprof-ubuntu.postinst: run aa-clickhook -f if it is available

1c00942... by Jamie Strandboge on 2013-09-11

Import patches-unapplied version 1.0.31 to ubuntu/saucy-proposed

Imported using git-ubuntu import.

Changelog parent: a284b8b2c9715d781943f30d7e11386793aee376

New changelog entries:
  * ubuntu-* templates: allow unconditional access to the DispatchURL
    API from com.canonical.URLDispatcher
  * ubuntu-sdk template: add another temporary workaround for non-app-specific
    path for qtdeclarative5-u1db1.0 (see LP: 1224126 for details)