touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #85800
[Bug 1381713] Re: Support policy query interface for file
We're in the process of trying to land these changes for thumbnailer,
and have been noticing problems with the music-app: we are getting
denials from aa_query_label for files under ~/Music. For example:
$ ./query_file com.ubuntu.music_music_2.1.867 /home/phablet/Music/10-amarillo.mp3
read '/home/phablet/Music/10-amarillo.mp3' denied
However, the profile seems to be able to read files in that location
anyway:
$ aa-exec -p com.ubuntu.music_music_2.1.867 cat
/home/phablet/Music/10-amarillo.mp3 >/dev/null
It seems the aa_query_label checks are working for
~/.local/share/$PACKAGE directories though, so it is working at some
level:
$ ./query_file com.ubuntu.music_music_2.1.867 /home/phablet/.local/share/com.ubuntu.music/foo
read '/home/phablet/.local/share/com.ubuntu.music/foo' allowed
$ ./query_file com.ubuntu.music_music_2.1.867 /home/phablet/.local/share/com.ubuntu.gallery/foo
read '/home/phablet/.local/share/com.ubuntu.gallery/foo' denied
Is there something special about the way ~/Music access is enabled in
the policy? I've been trying this out with devel-proposed (wily) image
233 on a Nexus 4 if that matters.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1381713
Title:
Support policy query interface for file
Status in AppArmor Linux application security framework:
Triaged
Status in Media Hub:
New
Status in Media Scanner v2:
New
Status in Thumbnail generator for all kinds of files:
Fix Committed
Status in apparmor package in Ubuntu:
Fix Released
Bug description:
This bug tracks the work needed to support querying if a label can
access a file. This is particularly useful with trusted helpers where
an application requests access to a file and the trusted helper does
something with it. For example, on Ubuntu when an app wants to play a
music file, it (eventually) goes through the media-hub service. The
media-hub service should be able to query if the app's policy has
access to the file.
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1381713/+subscriptions