apparmor-easyprof-ubuntu

Merge lp:~vicamo/apparmor-easyprof-ubuntu/add-lib64-for-64bit-android into lp:apparmor-easyprof-ubuntu

  1. add-lib64-for-64bit-android
  2. Merge into trunk
Proposed by You-Sheng Yang
Status: Merged
Merged at revision: 50
Proposed branch: lp:~vicamo/apparmor-easyprof-ubuntu/add-lib64-for-64bit-android
Merge into: lp:apparmor-easyprof-ubuntu
Diff against target: 331 lines (+111/-111)
10 files modified
data/policygroups/ubuntu/1.1/webview (+3/-3)
data/templates/ubuntu/1.0/ubuntu-sdk (+12/-12)
data/templates/ubuntu/1.0/ubuntu-webapp (+12/-12)
data/templates/ubuntu/1.1/ubuntu-sdk (+12/-12)
data/templates/ubuntu/1.1/ubuntu-webapp (+12/-12)
data/templates/ubuntu/1.2/ubuntu-account-plugin (+12/-12)
data/templates/ubuntu/1.2/ubuntu-scope-network (+12/-12)
data/templates/ubuntu/1.3/ubuntu-sdk (+12/-12)
data/templates/ubuntu/15.10/ubuntu-account-plugin (+12/-12)
pending/templates/ubuntu-scope-local-content (+12/-12)
To merge this branch: bzr merge lp:~vicamo/apparmor-easyprof-ubuntu/add-lib64-for-64bit-android
Reviewer Review Type Date Requested Status
Jamie Strandboge (community) Approve
Review via email: mp+303659@code.launchpad.net

Description of the change

Currently we have only /system/lib etched in apparmor permission rules. On arm64, /system/lib64 is required. Example apparmor error:

kernel: [ 189.457372].(0)[7350:media-hub-serve]type=1400 audit(1471933369.640:152): apparmor="DENIED" operation="open" profile="/usr/bin/media-hub-server" name="/android/system/lib64/libmedia_compat_layer.so" pid=7350 comm="media-hub-serve" requested_mask="r" denied_mask="r" fsuid=32011 ouid=0

To post a comment you must log in.
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This looks fine and it passes the testsuite (./tests/test-data.py, pass '-d' to prove it is going through all of them).

Note that this is for trunk. If you want this for xenial overlay you should use:
lp:~ubuntu-security/apparmor-easyprof-ubuntu/16.04-stable-phone-overlay

and for vivid overlay:
lp:~ubuntu-security/apparmor-easyprof-ubuntu/1.3-stable-phone-overlay

It should also be noted that changing this will trigger a policy reload for all applications, which needs approval from Pat McGowan for changes to the overlay. Typically policy changes requiring large reloads like this one should be grouped together.

review: Approve
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

In the interest of time with the ota-13 deadline, I've been asked to apply this to the overlay branches.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'data/policygroups/ubuntu/1.1/webview'
2--- data/policygroups/ubuntu/1.1/webview 2016-02-08 18:30:53 +0000
3+++ data/policygroups/ubuntu/1.1/webview 2016-08-23 08:29:41 +0000
4@@ -90,9 +90,9 @@
5 #include <abstractions/base>
6
7 # So long as we don't give /dev/binder, this should be 'ok'
8- /{,android/}vendor/lib/*.so mr,
9- /{,android/}system/lib/*.so mr,
10- /{,android/}system/vendor/lib/*.so mr,
11+ /{,android/}vendor/lib{,64}/*.so mr,
12+ /{,android/}system/lib{,64}/*.so mr,
13+ /{,android/}system/vendor/lib{,64}/*.so mr,
14 /{,android/}system/build.prop r,
15 /dev/socket/property_service rw, # attach_disconnected path
16
17
18=== modified file 'data/templates/ubuntu/1.0/ubuntu-sdk'
19--- data/templates/ubuntu/1.0/ubuntu-sdk 2015-07-08 14:08:47 +0000
20+++ data/templates/ubuntu/1.0/ubuntu-sdk 2016-08-23 08:29:41 +0000
21@@ -301,18 +301,18 @@
22 /usr/lib/@{multiarch}/libhybris/*.so mr,
23 /{,android/}system/build.prop r,
24 # These libraries can be in any of:
25- # /vendor/lib
26- # /system/lib
27- # /system/vendor/lib
28- # /android/vendor/lib
29- # /android/system/lib
30- # /android/system/vendor/lib
31- /{,android/}vendor/lib/** r,
32- /{,android/}vendor/lib/**.so m,
33- /{,android/}system/lib/** r,
34- /{,android/}system/lib/**.so m,
35- /{,android/}system/vendor/lib/** r,
36- /{,android/}system/vendor/lib/**.so m,
37+ # /vendor/lib{,64}
38+ # /system/lib{,64}
39+ # /system/vendor/lib{,64}
40+ # /android/vendor/lib{,64}
41+ # /android/system/lib{,64}
42+ # /android/system/vendor/lib{,64}
43+ /{,android/}vendor/lib{,64}/** r,
44+ /{,android/}vendor/lib{,64}/**.so m,
45+ /{,android/}system/lib{,64}/** r,
46+ /{,android/}system/lib{,64}/**.so m,
47+ /{,android/}system/vendor/lib{,64}/** r,
48+ /{,android/}system/vendor/lib{,64}/**.so m,
49
50 # attach_disconnected path
51 /dev/socket/property_service rw,
52
53=== modified file 'data/templates/ubuntu/1.0/ubuntu-webapp'
54--- data/templates/ubuntu/1.0/ubuntu-webapp 2015-07-23 21:24:20 +0000
55+++ data/templates/ubuntu/1.0/ubuntu-webapp 2016-08-23 08:29:41 +0000
56@@ -264,18 +264,18 @@
57 /usr/lib/@{multiarch}/libhybris/*.so mr,
58 /{,android/}system/build.prop r,
59 # These libraries can be in any of:
60- # /vendor/lib
61- # /system/lib
62- # /system/vendor/lib
63- # /android/vendor/lib
64- # /android/system/lib
65- # /android/system/vendor/lib
66- /{,android/}vendor/lib/** r,
67- /{,android/}vendor/lib/**.so m,
68- /{,android/}system/lib/** r,
69- /{,android/}system/lib/**.so m,
70- /{,android/}system/vendor/lib/** r,
71- /{,android/}system/vendor/lib/**.so m,
72+ # /vendor/lib{,64}
73+ # /system/lib{,64}
74+ # /system/vendor/lib{,64}
75+ # /android/vendor/lib{,64}
76+ # /android/system/lib{,64}
77+ # /android/system/vendor/lib{,64}
78+ /{,android/}vendor/lib{,64}/** r,
79+ /{,android/}vendor/lib{,64}/**.so m,
80+ /{,android/}system/lib{,64}/** r,
81+ /{,android/}system/lib{,64}/**.so m,
82+ /{,android/}system/vendor/lib{,64}/** r,
83+ /{,android/}system/vendor/lib{,64}/**.so m,
84
85 # attach_disconnected path
86 /dev/socket/property_service rw,
87
88=== modified file 'data/templates/ubuntu/1.1/ubuntu-sdk'
89--- data/templates/ubuntu/1.1/ubuntu-sdk 2015-07-08 14:08:47 +0000
90+++ data/templates/ubuntu/1.1/ubuntu-sdk 2016-08-23 08:29:41 +0000
91@@ -300,18 +300,18 @@
92 /usr/lib/@{multiarch}/libhybris/*.so mr,
93 /{,android/}system/build.prop r,
94 # These libraries can be in any of:
95- # /vendor/lib
96- # /system/lib
97- # /system/vendor/lib
98- # /android/vendor/lib
99- # /android/system/lib
100- # /android/system/vendor/lib
101- /{,android/}vendor/lib/** r,
102- /{,android/}vendor/lib/**.so m,
103- /{,android/}system/lib/** r,
104- /{,android/}system/lib/**.so m,
105- /{,android/}system/vendor/lib/** r,
106- /{,android/}system/vendor/lib/**.so m,
107+ # /vendor/lib{,64}
108+ # /system/lib{,64}
109+ # /system/vendor/lib{,64}
110+ # /android/vendor/lib{,64}
111+ # /android/system/lib{,64}
112+ # /android/system/vendor/lib{,64}
113+ /{,android/}vendor/lib{,64}/** r,
114+ /{,android/}vendor/lib{,64}/**.so m,
115+ /{,android/}system/lib{,64}/** r,
116+ /{,android/}system/lib{,64}/**.so m,
117+ /{,android/}system/vendor/lib{,64}/** r,
118+ /{,android/}system/vendor/lib{,64}/**.so m,
119
120 # attach_disconnected path
121 /dev/socket/property_service rw,
122
123=== modified file 'data/templates/ubuntu/1.1/ubuntu-webapp'
124--- data/templates/ubuntu/1.1/ubuntu-webapp 2015-07-23 21:24:20 +0000
125+++ data/templates/ubuntu/1.1/ubuntu-webapp 2016-08-23 08:29:41 +0000
126@@ -271,18 +271,18 @@
127 /usr/lib/@{multiarch}/libhybris/*.so mr,
128 /{,android/}system/build.prop r,
129 # These libraries can be in any of:
130- # /vendor/lib
131- # /system/lib
132- # /system/vendor/lib
133- # /android/vendor/lib
134- # /android/system/lib
135- # /android/system/vendor/lib
136- /{,android/}vendor/lib/** r,
137- /{,android/}vendor/lib/**.so m,
138- /{,android/}system/lib/** r,
139- /{,android/}system/lib/**.so m,
140- /{,android/}system/vendor/lib/** r,
141- /{,android/}system/vendor/lib/**.so m,
142+ # /vendor/lib{,64}
143+ # /system/lib{,64}
144+ # /system/vendor/lib{,64}
145+ # /android/vendor/lib{,64}
146+ # /android/system/lib{,64}
147+ # /android/system/vendor/lib{,64}
148+ /{,android/}vendor/lib{,64}/** r,
149+ /{,android/}vendor/lib{,64}/**.so m,
150+ /{,android/}system/lib{,64}/** r,
151+ /{,android/}system/lib{,64}/**.so m,
152+ /{,android/}system/vendor/lib{,64}/** r,
153+ /{,android/}system/vendor/lib{,64}/**.so m,
154
155 # attach_disconnected path
156 /dev/socket/property_service rw,
157
158=== modified file 'data/templates/ubuntu/1.2/ubuntu-account-plugin'
159--- data/templates/ubuntu/1.2/ubuntu-account-plugin 2015-07-08 14:08:47 +0000
160+++ data/templates/ubuntu/1.2/ubuntu-account-plugin 2016-08-23 08:29:41 +0000
161@@ -165,18 +165,18 @@
162 /usr/lib/@{multiarch}/libhybris/*.so mr,
163 /{,android/}system/build.prop r,
164 # These libraries can be in any of:
165- # /vendor/lib
166- # /system/lib
167- # /system/vendor/lib
168- # /android/vendor/lib
169- # /android/system/lib
170- # /android/system/vendor/lib
171- /{,android/}vendor/lib/** r,
172- /{,android/}vendor/lib/**.so m,
173- /{,android/}system/lib/** r,
174- /{,android/}system/lib/**.so m,
175- /{,android/}system/vendor/lib/** r,
176- /{,android/}system/vendor/lib/**.so m,
177+ # /vendor/lib{,64}
178+ # /system/lib{,64}
179+ # /system/vendor/lib{,64}
180+ # /android/vendor/lib{,64}
181+ # /android/system/lib{,64}
182+ # /android/system/vendor/lib{,64}
183+ /{,android/}vendor/lib{,64}/** r,
184+ /{,android/}vendor/lib{,64}/**.so m,
185+ /{,android/}system/lib{,64}/** r,
186+ /{,android/}system/lib{,64}/**.so m,
187+ /{,android/}system/vendor/lib{,64}/** r,
188+ /{,android/}system/vendor/lib{,64}/**.so m,
189
190 # attach_disconnected path
191 /dev/socket/property_service rw,
192
193=== modified file 'data/templates/ubuntu/1.2/ubuntu-scope-network'
194--- data/templates/ubuntu/1.2/ubuntu-scope-network 2015-04-10 22:02:20 +0000
195+++ data/templates/ubuntu/1.2/ubuntu-scope-network 2016-08-23 08:29:41 +0000
196@@ -16,18 +16,18 @@
197 /usr/lib/@{multiarch}/libhybris/*.so mr,
198 /{,android/}system/build.prop r,
199 # These libraries can be in any of:
200- # /vendor/lib
201- # /system/lib
202- # /system/vendor/lib
203- # /android/vendor/lib
204- # /android/system/lib
205- # /android/system/vendor/lib
206- /{,android/}vendor/lib/** r,
207- /{,android/}vendor/lib/**.so m,
208- /{,android/}system/lib/** r,
209- /{,android/}system/lib/**.so m,
210- /{,android/}system/vendor/lib/** r,
211- /{,android/}system/vendor/lib/**.so m,
212+ # /vendor/lib{,64}
213+ # /system/lib{,64}
214+ # /system/vendor/lib{,64}
215+ # /android/vendor/lib{,64}
216+ # /android/system/lib{,64}
217+ # /android/system/vendor/lib{,64}
218+ /{,android/}vendor/lib{,64}/** r,
219+ /{,android/}vendor/lib{,64}/**.so m,
220+ /{,android/}system/lib{,64}/** r,
221+ /{,android/}system/lib{,64}/**.so m,
222+ /{,android/}system/vendor/lib{,64}/** r,
223+ /{,android/}system/vendor/lib{,64}/**.so m,
224
225 # attach_disconnected path
226 /dev/socket/property_service rw,
227
228=== modified file 'data/templates/ubuntu/1.3/ubuntu-sdk'
229--- data/templates/ubuntu/1.3/ubuntu-sdk 2015-11-19 21:20:24 +0000
230+++ data/templates/ubuntu/1.3/ubuntu-sdk 2016-08-23 08:29:41 +0000
231@@ -300,18 +300,18 @@
232 /usr/lib/@{multiarch}/libhybris/*.so mr,
233 /{,android/}system/build.prop r,
234 # These libraries can be in any of:
235- # /vendor/lib
236- # /system/lib
237- # /system/vendor/lib
238- # /android/vendor/lib
239- # /android/system/lib
240- # /android/system/vendor/lib
241- /{,android/}vendor/lib/** r,
242- /{,android/}vendor/lib/**.so m,
243- /{,android/}system/lib/** r,
244- /{,android/}system/lib/**.so m,
245- /{,android/}system/vendor/lib/** r,
246- /{,android/}system/vendor/lib/**.so m,
247+ # /vendor/lib{,64}
248+ # /system/lib{,64}
249+ # /system/vendor/lib{,64}
250+ # /android/vendor/lib{,64}
251+ # /android/system/lib{,64}
252+ # /android/system/vendor/lib{,64}
253+ /{,android/}vendor/lib{,64}/** r,
254+ /{,android/}vendor/lib{,64}/**.so m,
255+ /{,android/}system/lib{,64}/** r,
256+ /{,android/}system/lib{,64}/**.so m,
257+ /{,android/}system/vendor/lib{,64}/** r,
258+ /{,android/}system/vendor/lib{,64}/**.so m,
259
260 # attach_disconnected path
261 /dev/socket/property_service rw,
262
263=== modified file 'data/templates/ubuntu/15.10/ubuntu-account-plugin'
264--- data/templates/ubuntu/15.10/ubuntu-account-plugin 2015-07-29 20:16:27 +0000
265+++ data/templates/ubuntu/15.10/ubuntu-account-plugin 2016-08-23 08:29:41 +0000
266@@ -165,18 +165,18 @@
267 /usr/lib/@{multiarch}/libhybris/*.so mr,
268 /{,android/}system/build.prop r,
269 # These libraries can be in any of:
270- # /vendor/lib
271- # /system/lib
272- # /system/vendor/lib
273- # /android/vendor/lib
274- # /android/system/lib
275- # /android/system/vendor/lib
276- /{,android/}vendor/lib/** r,
277- /{,android/}vendor/lib/**.so m,
278- /{,android/}system/lib/** r,
279- /{,android/}system/lib/**.so m,
280- /{,android/}system/vendor/lib/** r,
281- /{,android/}system/vendor/lib/**.so m,
282+ # /vendor/lib{,64}
283+ # /system/lib{,64}
284+ # /system/vendor/lib{,64}
285+ # /android/vendor/lib{,64}
286+ # /android/system/lib{,64}
287+ # /android/system/vendor/lib{,64}
288+ /{,android/}vendor/lib{,64}/** r,
289+ /{,android/}vendor/lib{,64}/**.so m,
290+ /{,android/}system/lib{,64}/** r,
291+ /{,android/}system/lib{,64}/**.so m,
292+ /{,android/}system/vendor/lib{,64}/** r,
293+ /{,android/}system/vendor/lib{,64}/**.so m,
294
295 # attach_disconnected path
296 /dev/socket/property_service rw,
297
298=== modified file 'pending/templates/ubuntu-scope-local-content'
299--- pending/templates/ubuntu-scope-local-content 2015-02-03 22:08:27 +0000
300+++ pending/templates/ubuntu-scope-local-content 2016-08-23 08:29:41 +0000
301@@ -18,18 +18,18 @@
302 /usr/lib/@{multiarch}/libhybris/*.so mr,
303 /{,android/}system/build.prop r,
304 # These libraries can be in any of:
305- # /vendor/lib
306- # /system/lib
307- # /system/vendor/lib
308- # /android/vendor/lib
309- # /android/system/lib
310- # /android/system/vendor/lib
311- /{,android/}vendor/lib/** r,
312- /{,android/}vendor/lib/**.so m,
313- /{,android/}system/lib/** r,
314- /{,android/}system/lib/**.so m,
315- /{,android/}system/vendor/lib/** r,
316- /{,android/}system/vendor/lib/**.so m,
317+ # /vendor/lib{,64}
318+ # /system/lib{,64}
319+ # /system/vendor/lib{,64}
320+ # /android/vendor/lib{,64}
321+ # /android/system/lib{,64}
322+ # /android/system/vendor/lib{,64}
323+ /{,android/}vendor/lib{,64}/** r,
324+ /{,android/}vendor/lib{,64}/**.so m,
325+ /{,android/}system/lib{,64}/** r,
326+ /{,android/}system/lib{,64}/**.so m,
327+ /{,android/}system/vendor/lib{,64}/** r,
328+ /{,android/}system/vendor/lib{,64}/**.so m,
329
330 # attach_disconnected path
331 /dev/socket/property_service rw,

Subscribers

People subscribed via source and target branches