← Back to branch summary

~ken-vandine/apparmor-easyprof-ubuntu/content_exchange_mir

« back to all changes in this revision

Viewing changes to data/templates/ubuntu/1.1/ubuntu-webapp

  • Committer: Jamie Strandboge
  • Date: 2015-02-03 22:08:27 UTC
  • Revision ID: jamie@ubuntu.com-20150203220827-rfz4540yx2c1kbzt
Tags: 1.3.1
* ubuntu/ubuntu-sdk:
  - explicitly deny reads on ~/.cache/QML/Apps/ to silence noisy denials.
    Undo this when LP: 1381620 is fixed in qtdeclarative-opensource-src
  - explicitly deny dbus bind on name="org.freedesktop.Application" since
    it is noisy. Undo this when LP: 1378823 is fixed in ubuntu-ui-toolkit
* ubuntu/1.3/ubuntu-sdk: drop html5-container policy. html5 apps should use
  webapp-container and specify the 'webview' policy group with 1.3 (15.04)
  policy (LP: #1392461)
* ubuntu/ubuntu-scope-network, pending/ubuntu-scope-local-content: allow
  scopes to read data from the apps data dir (LP: #1384286)
* adjust all dbus rules to use peer=(label=unconfined) to prevent
  coordinated communications between apps over DBus (LP: #1383824)
* ubuntu/{music,pictures,video}_files*: allow access to global SD card
  directories (LP: #1391930)
* debian/control: Depends on apparmor >= 2.8.98-0ubuntu2~ for the dbus peer
  changes (we need at least apparmor_parser 2.9.beta4 for these)

Show diffs side-by-side

added added

removed removed

Lines of Context:
data/templates/ubuntu/1.1/ubuntu-webapp
47
47
       bus=session
48
48
       path="/BottomBarVisibilityCommunicator"
49
49
       interface="org.freedesktop.DBus.{Introspectable,Properties}"
50
 
       peer=(name=com.canonical.Shell.BottomBarVisibilityCommunicator),
 
50
       peer=(name=com.canonical.Shell.BottomBarVisibilityCommunicator,label=unconfined),
51
51
  dbus (receive)
52
52
       bus=session
53
53
       path="/BottomBarVisibilityCommunicator"
54
 
       interface="com.canonical.Shell.BottomBarVisibilityCommunicator",
 
54
       interface="com.canonical.Shell.BottomBarVisibilityCommunicator"
 
55
       peer=(label=unconfined),
55
56
 
56
57
 
57
58
  # Unity HUD
59
60
       bus=session
60
61
       path="/com/canonical/hud"
61
62
       interface="org.freedesktop.DBus.Properties"
62
 
       member="GetAll",
 
63
       member="GetAll"
 
64
       peer=(label=unconfined),
63
65
  dbus (send)
64
66
       bus=session
65
67
       path="/com/canonical/hud"
66
68
       interface="com.canonical.hud"
67
 
       member="RegisterApplication",
 
69
       member="RegisterApplication"
 
70
       peer=(label=unconfined),
68
71
  dbus (receive, send)
69
72
       bus=session
70
 
       path=/com/canonical/hud/applications/@{APP_ID_DBUS}*,
71
 
  dbus (receive)
72
 
       bus=session
73
 
       path="/com/canonical/hud/publisher*"
74
 
       interface="org.gtk.Menus"
75
 
       member="Start",
76
 
  dbus (receive)
77
 
       bus=session
78
 
       path="/com/canonical/hud/publisher*"
79
 
       interface="org.gtk.Menus"
80
 
       member="End",
 
73
       path=/com/canonical/hud/applications/@{APP_ID_DBUS}*
 
74
       peer=(label=unconfined),
 
75
  dbus (receive)
 
76
       bus=session
 
77
       path="/com/canonical/hud/publisher*"
 
78
       interface="org.gtk.Menus"
 
79
       member="Start"
 
80
       peer=(label=unconfined),
 
81
  dbus (receive)
 
82
       bus=session
 
83
       path="/com/canonical/hud/publisher*"
 
84
       interface="org.gtk.Menus"
 
85
       member="End"
 
86
       peer=(label=unconfined),
81
87
  dbus (send)
82
88
       bus=session
83
89
       path="/com/canonical/hud/publisher*"
84
90
       interface="org.gtk.Menus"
85
91
       member="Changed"
86
 
       peer=(name=org.freedesktop.DBus),
 
92
       peer=(name=org.freedesktop.DBus,label=unconfined),
87
93
  dbus (receive)
88
94
       bus=session
89
95
       path="/com/canonical/unity/actions"
90
96
       interface=org.gtk.Actions
91
 
       member={DescribeAll,Activate},
 
97
       member={DescribeAll,Activate}
 
98
       peer=(label=unconfined),
92
99
  dbus (send)
93
100
       bus=session
94
101
       path="/com/canonical/unity/actions"
95
102
       interface=org.gtk.Actions
96
103
       member=Changed
97
 
       peer=(name=org.freedesktop.DBus),
 
104
       peer=(name=org.freedesktop.DBus,label=unconfined),
98
105
  dbus (receive)
99
106
       bus=session
100
107
       path="/context_*"
101
108
       interface=org.gtk.Actions
102
 
       member="DescribeAll",
 
109
       member="DescribeAll"
 
110
       peer=(label=unconfined),
103
111
  dbus (receive)
104
112
       bus=session
105
113
       path="/com/canonical/hud"
106
114
       interface="com.canonical.hud"
107
 
       member="UpdatedQuery",
 
115
       member="UpdatedQuery"
 
116
       peer=(label=unconfined),
108
117
  dbus (receive)
109
118
       bus=session
110
119
       interface="com.canonical.hud.Awareness"
111
 
       member="CheckAwareness",
 
120
       member="CheckAwareness"
 
121
       peer=(label=unconfined),
112
122
 
113
123
  # on screen keyboard (OSK)
114
124
  dbus (send)
116
126
       path="/org/maliit/server/address"
117
127
       interface="org.freedesktop.DBus.Properties"
118
128
       member=Get
119
 
       peer=(name=org.maliit.server),
 
129
       peer=(name=org.maliit.server,label=unconfined),
120
130
  unix (connect, receive, send)
121
131
       type=stream
122
132
       peer=(addr="@/tmp/maliit-server/dbus-*"),
125
135
  dbus (receive, send)
126
136
       bus=session
127
137
       path="/com/canonical/QtMir/Clipboard"
128
 
       interface="com.canonical.QtMir.Clipboard",
 
138
       interface="com.canonical.QtMir.Clipboard"
 
139
       peer=(label=unconfined),
129
140
  dbus (receive, send)
130
141
       bus=session
131
142
       path="/com/canonical/QtMir/Clipboard"
132
 
       interface="org.freedesktop.DBus.{Introspectable,Properties}",
 
143
       interface="org.freedesktop.DBus.{Introspectable,Properties}"
 
144
       peer=(label=unconfined),
133
145
 
134
146
  # usensors
135
147
  dbus (send)
136
148
       bus=session
137
149
       path=/com/canonical/usensord/haptic
138
 
       interface=com.canonical.usensord.haptic,
 
150
       interface=com.canonical.usensord.haptic
 
151
       peer=(label=unconfined),
139
152
 
140
153
  # URL dispatcher. All apps can call this since:
141
154
  # a) the dispatched application is launched out of process and not
147
160
       bus=session
148
161
       path="/com/canonical/URLDispatcher"
149
162
       interface="com.canonical.URLDispatcher"
150
 
       member="DispatchURL",
 
163
       member="DispatchURL"
 
164
       peer=(label=unconfined),
151
165
 
152
166
  # This is needed when the app is already running and needs to be passed in
153
167
  # a URL to open. This is most often used with content-hub providers and
157
171
       bus=session
158
172
       path=/@{APP_ID_DBUS}
159
173
       interface="org.freedesktop.Application"
160
 
       member="Open",
 
174
       member="Open"
 
175
       peer=(label=unconfined),
161
176
 
162
177
  # This is needed for apps to interact with the Launcher (eg, for the counter)
163
178
  dbus (receive, send)
164
179
       bus=session
165
 
       path=/com/canonical/unity/launcher/@{APP_ID_DBUS},
 
180
       path=/com/canonical/unity/launcher/@{APP_ID_DBUS}
 
181
       peer=(label=unconfined),
166
182
 
167
183
  # TODO: finetune this
168
184
  dbus (send)
169
185
       bus=session
170
 
       peer=(name=org.a11y.Bus),
 
186
       peer=(name=org.a11y.Bus,label=unconfined),
171
187
  dbus (receive)
172
188
       bus=session
173
 
       interface=org.a11y.atspi**,
 
189
       interface=org.a11y.atspi**
 
190
       peer=(label=unconfined),
174
191
  dbus (receive, send)
175
 
       bus=accessibility,
 
192
       bus=accessibility
 
193
       peer=(label=unconfined),
176
194
 
177
195
  # Deny potentially dangerous access
178
196
  deny dbus bus=session
334
352
  dbus (receive, send)
335
353
       bus=session
336
354
       interface=com.nokia.singlesignonui
337
 
       member=cookiesForIdentity,
 
355
       member=cookiesForIdentity
 
356
       peer=(label=unconfined),
338
357
 
339
358
 
340
359
  # GStreamer binary registry - hybris pulls this in for everything now, not