~ken-vandine/apparmor-easyprof-ubuntu/content_exchange

~ken-vandine/apparmor-easyprof-ubuntu/content_exchange_mir

Viewing changes to data/policygroups/ubuntu/1.0/networking

Committer: Jamie Strandboge
Date: 2015-02-03 22:08:27 UTC
Revision ID: jamie@ubuntu.com-20150203220827-rfz4540yx2c1kbzt

Tags: 1.3.1

* ubuntu/ubuntu-sdk:
  - explicitly deny reads on ~/.cache/QML/Apps/ to silence noisy denials.
    Undo this when LP: 1381620 is fixed in qtdeclarative-opensource-src
  - explicitly deny dbus bind on name="org.freedesktop.Application" since
    it is noisy. Undo this when LP: 1378823 is fixed in ubuntu-ui-toolkit
* ubuntu/1.3/ubuntu-sdk: drop html5-container policy. html5 apps should use
  webapp-container and specify the 'webview' policy group with 1.3 (15.04)
  policy (LP: #1392461)
* ubuntu/ubuntu-scope-network, pending/ubuntu-scope-local-content: allow
  scopes to read data from the apps data dir (LP: #1384286)
* adjust all dbus rules to use peer=(label=unconfined) to prevent
  coordinated communications between apps over DBus (LP: #1383824)
* ubuntu/{music,pictures,video}_files*: allow access to global SD card
  directories (LP: #1391930)
* debian/control: Depends on apparmor >= 2.8.98-0ubuntu2~ for the dbus peer
  changes (we need at least apparmor_parser 2.9.beta4 for these)

files modified:
data/policygroups/ubuntu/1.0/accounts

data/policygroups/ubuntu/1.0/audio

data/policygroups/ubuntu/1.0/calendar

data/policygroups/ubuntu/1.0/camera

data/policygroups/ubuntu/1.0/contacts

data/policygroups/ubuntu/1.0/content_exchange

data/policygroups/ubuntu/1.0/content_exchange_source

data/policygroups/ubuntu/1.0/friends

data/policygroups/ubuntu/1.0/history

data/policygroups/ubuntu/1.0/location

data/policygroups/ubuntu/1.0/music_files

data/policygroups/ubuntu/1.0/music_files_read

data/policygroups/ubuntu/1.0/networking

data/policygroups/ubuntu/1.0/picture_files

data/policygroups/ubuntu/1.0/picture_files_read

data/policygroups/ubuntu/1.0/usermetrics

data/policygroups/ubuntu/1.0/video

data/policygroups/ubuntu/1.0/video_files

data/policygroups/ubuntu/1.0/video_files_read

data/policygroups/ubuntu/1.1/contacts

data/policygroups/ubuntu/1.1/content_exchange

data/policygroups/ubuntu/1.1/music_files

data/policygroups/ubuntu/1.1/music_files_read

data/policygroups/ubuntu/1.1/video_files

data/policygroups/ubuntu/1.1/video_files_read

data/policygroups/ubuntu/1.1/webview

data/policygroups/ubuntu/1.2/accounts

data/policygroups/ubuntu/1.2/connectivity

data/policygroups/ubuntu/1.2/push-notification-client

data/policygroups/ubuntu/1.2/sensors

data/templates/ubuntu/1.0/ubuntu-sdk

data/templates/ubuntu/1.0/ubuntu-webapp

data/templates/ubuntu/1.1/ubuntu-sdk

data/templates/ubuntu/1.1/ubuntu-webapp

data/templates/ubuntu/1.2/ubuntu-scope-network

data/templates/ubuntu/1.3/ubuntu-sdk

debian/changelog

debian/control

pending/templates/ubuntu-scope-local-content

Show diffs side-by-side

added added

removed removed

data/policygroups/ubuntu/1.0/networking

bus=session

interface="org.freedesktop.DBus.Introspectable"

path=/

member=Introspect,

member=Introspect

peer=(label=unconfined),

dbus (send)

bus=session

interface="org.freedesktop.DBus.Introspectable"

path=/com/canonical/applications/download/**

member=Introspect,

member=Introspect

peer=(label=unconfined),

# Allow DownloadManager to send us signals, etc

dbus (receive)

bus=session

interface=com.canonical.applications.Download{,er}Manager,

interface=com.canonical.applications.Download{,er}Manager

peer=(label=unconfined),

# Restrict apps to just their own downloads

owner @{HOME}/.local/share/ubuntu-download-manager/@{APP_PKGNAME}/ rw,

owner @{HOME}/.local/share/ubuntu-download-manager/@{APP_PKGNAME}/** rwk,

dbus (receive, send)

bus=session

path=/com/canonical/applications/download/@{APP_ID_DBUS}/**

interface=com.canonical.applications.Download,

interface=com.canonical.applications.Download

peer=(label=unconfined),

dbus (receive, send)

bus=session

path=/com/canonical/applications/download/@{APP_ID_DBUS}/**

interface=com.canonical.applications.GroupDownload,

interface=com.canonical.applications.GroupDownload

peer=(label=unconfined),

# Be explicit about the allowed members we can send to

dbus (send)

bus=session

path=/

interface=com.canonical.applications.DownloadManager

member=createDownload,

dbus (send)

bus=session

path=/

interface=com.canonical.applications.DownloadManager

member=createDownloadGroup,

dbus (send)

bus=session

path=/

interface=com.canonical.applications.DownloadManager

member=getAllDownloads,

dbus (send)

bus=session

path=/

interface=com.canonical.applications.DownloadManager

member=getAllDownloadsWithMetadata,

dbus (send)

bus=session

path=/

interface=com.canonical.applications.DownloadManager

member=defaultThrottle,

dbus (send)

bus=session

path=/

interface=com.canonical.applications.DownloadManager

member=isGSMDownloadAllowed,

member=createDownload

peer=(label=unconfined),

dbus (send)

bus=session

path=/

interface=com.canonical.applications.DownloadManager

member=createDownloadGroup

peer=(label=unconfined),

dbus (send)

bus=session

path=/

interface=com.canonical.applications.DownloadManager

member=getAllDownloads

peer=(label=unconfined),

dbus (send)

bus=session

path=/

interface=com.canonical.applications.DownloadManager

member=getAllDownloadsWithMetadata

peer=(label=unconfined),

dbus (send)

bus=session

path=/

interface=com.canonical.applications.DownloadManager

member=defaultThrottle

peer=(label=unconfined),

dbus (send)

bus=session

path=/

interface=com.canonical.applications.DownloadManager

member=isGSMDownloadAllowed

peer=(label=unconfined),

# Explicitly deny DownloadManager APIs apps shouldn't have access to in order

# to make sure they aren't accidentally added in the future (see LP: #1277578

# for details)

Older »