ubuntu-phone team mailing list archive

Thread
Date

Re: Content Hub Questions

To: Robert Schroll <rschroll@xxxxxxxxx>
From: Jamie Strandboge <jamie@xxxxxxxxxxxxx>
Date: Thu, 19 Feb 2015 14:49:43 -0600
Cc: ubuntu-phone@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1424376132.13591.10@smtp.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0

On 02/19/2015 02:02 PM, Robert Schroll wrote:
> On Wed, Feb 18, 2015 at 3:28 PM, Jamie Strandboge <jamie@xxxxxxxxxxxxx> wrote:
>> Hard links are treated as different paths in apparmor so for a file with 2
>> links, you may have rules for both or either to access the file. Once it passes
>> the LSM (AppArmor) it should behave as you expect (eg, if one app is allowed
>> 'w'rite access to one link and the other app is allowed 'w'rite access to the
>> other link, both apps may modify the file).
> 
> Thanks.  In that case my question becomes, what are the apparmor rules governing
> ~/.cache/<appid>/HubIncoming/?
> 

$ tail -6 /usr/share/apparmor/easyprof/policygroups/ubuntu/1.2/content_exchange
# LP: #1293771
# Since fd delegation doesn't exist in the form that we need it at this time,
# content-hub will create hard links in ~/.cache/@{APP_PKGNAME}/HubIncoming/
# for volatile data. As such, apps should not have write access to anything in
# this directory otherwise they would be able to change the source content.
deny @{HOME}/.cache/@{APP_PKGNAME}/HubIncoming/** w,

Note: an explict deny rule suppresses the denial in the logs

-- 
Jamie Strandboge                 http://www.ubuntu.com/

Attachment: signature.asc
Description: OpenPGP digital signature

Follow ups

Re: Content Hub Questions
From: Robert Schroll, 2015-02-19

References

Content Hub Questions
From: Robert Schroll, 2015-02-18
Re: Content Hub Questions
From: Jamie Strandboge, 2015-02-18
Re: Content Hub Questions
From: Robert Schroll, 2015-02-19