← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #09426

[Bug 1356516] [NEW] consider shipping apparmor profile for webbrowser-app

  Thread PreviousDate PreviousThread Next 
Public bug reported:

It would be nice if webbrowser-app itself could ship an apparmor
profile. Since we are already confining webapps, we can leverage aa-
easyprof to generate the apparmor profile. Eg, in debian/rules could
have a target :

apparmor:
        aa-easyprof --policy-version=1.2 --policy-vendor=ubuntu \
        -t ubuntu-webapp \
        --policy-groups=accounts,audio,content_exchange,content_exchange_source,location,networking,push-notification-client,video,webview \
         --template-var="@{APP_ID_DBUS}=webbrowser_2dapp" \
         --template-var="@{APP_PKGNAME_DBUS}=webbrowser_2dapp" \
         --template-var="@{APP_PKGNAME}=webbrowser-app" \
         --template-var="@{CLICK_DIR}=/usr/share/webbrowser-app" \
         --abstraction=user-tmp \
         --read-path=/usr/share/applications/ \
         --read-path="@{HOME}/.local/share/applications/" \
         --profile-name=webbrowser-app \
         --no-verify /usr/bin/webbrowser-app | \
         grep -v CLICK_DIR | \
         sed 's/signal peer=@{APP_PKGNAME}_\*_@{APP_VERSION},/signal peer=@{APP_PKGNAME},/g' \
         > ./debian/usr.bin.webbrowser-app
         apparmor_parser -QTK ./debian/usr.bin.webbrowser-app

In this manner, you could this to update the apparmor profile:
$ debian/rules apparmor

I use '--no-verify' because we need to very lightly tidy up the profile
with the 'grep -v' and the 'sed', which is why after it is cleaned I run
'apparmor_parser -QTK' on the profile to verify it. This could probably
be done as part of the build too. Once the profile is in place, you can
simply do something along the lines of
http://bazaar.launchpad.net/~jdstrand/ubuntu-system-settings/ubuntu-
system-settings-lp1296415/revision/748.

I have lightly tested this on the phone for the following:
 * http
 * https
 * sharing to messaging app
 * url-dispatcher via messaging-app to open a link (with the browser open and closed)
 * maps.google.com (prompted for access)
 * youtube (one denial: apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/com/canonical/Unity/Screen" interface="com.canonical.Unity.Screen" member="keepDisplayOn" mask="send" name="com.canonical.Unity.Screen" pid=12566 profile="webbrowser-app" peer_pid=1575 peer_profile="unconfined")
 * html5.grooveshark.com
 * grooveshark via music scope

I also even more lightly tested it on the desktop, and it appears to
work ok.

** Affects: webbrowser-app (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1356516

Title:
  consider shipping apparmor profile for webbrowser-app

Status in “webbrowser-app” package in Ubuntu:
  New

Bug description:
  It would be nice if webbrowser-app itself could ship an apparmor
  profile. Since we are already confining webapps, we can leverage aa-
  easyprof to generate the apparmor profile. Eg, in debian/rules could
  have a target :

  apparmor:
          aa-easyprof --policy-version=1.2 --policy-vendor=ubuntu \
          -t ubuntu-webapp \
          --policy-groups=accounts,audio,content_exchange,content_exchange_source,location,networking,push-notification-client,video,webview \
           --template-var="@{APP_ID_DBUS}=webbrowser_2dapp" \
           --template-var="@{APP_PKGNAME_DBUS}=webbrowser_2dapp" \
           --template-var="@{APP_PKGNAME}=webbrowser-app" \
           --template-var="@{CLICK_DIR}=/usr/share/webbrowser-app" \
           --abstraction=user-tmp \
           --read-path=/usr/share/applications/ \
           --read-path="@{HOME}/.local/share/applications/" \
           --profile-name=webbrowser-app \
           --no-verify /usr/bin/webbrowser-app | \
           grep -v CLICK_DIR | \
           sed 's/signal peer=@{APP_PKGNAME}_\*_@{APP_VERSION},/signal peer=@{APP_PKGNAME},/g' \
           > ./debian/usr.bin.webbrowser-app
           apparmor_parser -QTK ./debian/usr.bin.webbrowser-app

  In this manner, you could this to update the apparmor profile:
  $ debian/rules apparmor

  I use '--no-verify' because we need to very lightly tidy up the
  profile with the 'grep -v' and the 'sed', which is why after it is
  cleaned I run 'apparmor_parser -QTK' on the profile to verify it. This
  could probably be done as part of the build too. Once the profile is
  in place, you can simply do something along the lines of
  http://bazaar.launchpad.net/~jdstrand/ubuntu-system-settings/ubuntu-
  system-settings-lp1296415/revision/748.

  I have lightly tested this on the phone for the following:
   * http
   * https
   * sharing to messaging app
   * url-dispatcher via messaging-app to open a link (with the browser open and closed)
   * maps.google.com (prompted for access)
   * youtube (one denial: apparmor="DENIED" operation="dbus_method_call"  bus="system" path="/com/canonical/Unity/Screen" interface="com.canonical.Unity.Screen" member="keepDisplayOn" mask="send" name="com.canonical.Unity.Screen" pid=12566 profile="webbrowser-app" peer_pid=1575 peer_profile="unconfined")
   * html5.grooveshark.com
   * grooveshark via music scope

  I also even more lightly tested it on the desktop, and it appears to
  work ok.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/webbrowser-app/+bug/1356516/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next