touch-packages team mailing list archive

Thread
Date

[Bug 1381713] Re: Support policy query interface for file

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: James Henstridge <james.henstridge@xxxxxxxxxxxxx>
Date: Tue, 23 Jun 2015 07:35:15 -0000
Reply-to: Bug 1381713 <1381713@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

We're in the process of trying to land these changes for thumbnailer,
and have been noticing problems with the music-app: we are getting
denials from aa_query_label for files under ~/Music.  For example:

    $ ./query_file com.ubuntu.music_music_2.1.867 /home/phablet/Music/10-amarillo.mp3 
    read '/home/phablet/Music/10-amarillo.mp3' denied

However, the profile seems to be able to read files in that location
anyway:

    $ aa-exec -p com.ubuntu.music_music_2.1.867 cat
/home/phablet/Music/10-amarillo.mp3 >/dev/null

It seems the aa_query_label checks are working for
~/.local/share/$PACKAGE directories though, so it is working at some
level:

    $ ./query_file com.ubuntu.music_music_2.1.867 /home/phablet/.local/share/com.ubuntu.music/foo
    read '/home/phablet/.local/share/com.ubuntu.music/foo' allowed
    $ ./query_file com.ubuntu.music_music_2.1.867 /home/phablet/.local/share/com.ubuntu.gallery/foo
    read '/home/phablet/.local/share/com.ubuntu.gallery/foo' denied

Is there something special about the way ~/Music access is enabled in
the policy?  I've been trying this out with devel-proposed (wily) image
233 on a Nexus 4 if that matters.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1381713

Title:
  Support policy query interface for file

Status in AppArmor Linux application security framework:
  Triaged
Status in Media Hub:
  New
Status in Media Scanner v2:
  New
Status in Thumbnail generator for all kinds of files:
  Fix Committed
Status in apparmor package in Ubuntu:
  Fix Released

Bug description:
  This bug tracks the work needed to support querying if a label can
  access a file. This is particularly useful with trusted helpers where
  an application requests access to a file and the trusted helper does
  something with it. For example, on Ubuntu when an app wants to play a
  music file, it (eventually) goes through the media-hub service. The
  media-hub service should be able to query if the app's policy has
  access to the file.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1381713/+subscriptions