← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #52691

[Bug 1415492] Re: Create a trusted socket for privileged processes

  Thread PreviousDate PreviousThread Next 
This bug was fixed in the package apparmor-easyprof-ubuntu - 1.3.4

---------------
apparmor-easyprof-ubuntu (1.3.4) vivid; urgency=medium

  [ Alberto Mardegan ]
  * ubuntu/accounts: explictly deny access to the p2p socket. This will now be
    available only to unconfined apps to support a trusted socket for
    privileged processes (LP: #1415492)

  [ Jamie Strandboge ]
  * add ubuntu/1.2/ubuntu-account-plugin template and add to 1.3 policy
    (LP: #1219644)
  * adjust expected_templates_12 in autopkgtests to have ubuntu-account-plugin
  * ubuntu/webview: allow /sys/devices/system/cpu/*/cpufreq/cpuinfo_max_freq
    readonly access
 -- Jamie Strandboge <jamie@xxxxxxxxxx>   Tue, 03 Feb 2015 16:24:15 -0600

** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor-easyprof-ubuntu
in Ubuntu.
https://bugs.launchpad.net/bugs/1415492

Title:
  Create a trusted socket for privileged processes

Status in apparmor-easyprof-ubuntu package in Ubuntu:
  Fix Released
Status in signon package in Ubuntu:
  Fix Released
Status in signon-apparmor-extension package in Ubuntu:
  Fix Released

Bug description:
  We want to let privileged processes (such as those using the
  "unconfined" profile template) to access any online account without
  having the need of being added to the account's ACL.

  signond and libsignon-qt already support connecting via a p2p D-Bus
  backed by a unix socket ("$XDG_RUNTIME_DIR/signond/socket"), but it's
  currently switched off at build time. We should enable it.

  signon-apparmor-extension has to be changed so that a peer connected
  via the p2p D-Bus connection will always be treated as "unconfined".

  While apparmor policy already disallows access to this socket,
  apparmor-easyprof-ubuntu needs to be modified so that the "accounts"
  policy will contain an explicity deny rule for
  "$XDG_RUNTIME_DIR/signond/socket" to suppress logging the denial.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor-easyprof-ubuntu/+bug/1415492/+subscriptions

References

  Thread PreviousDate PreviousThread Next