~ubuntu-branches/ubuntu/wily/apparmor-easyprof-ubuntu/wily

Viewing changes to data/templates/ubuntu/1.1/ubuntu-webapp

Committer: Package Import Robot
Author(s): Jamie Strandboge
Date: 2014-09-05 15:17:07 UTC
Revision ID: package-import@ubuntu.com-20140905151707-6f13l1kr9xm3ri7d

* Updates for abstract and anonymous socket mediation (LP: #1362199):
  - ubuntu/*/ubuntu-*:
    + use dbus-strict and dbus-session-strict abstractions and remove
      duplicated policy
    + allow ubuntu-sdk and ubuntu-webapp connect, receive and send on the
      maliit abstract socket
    + allow write access to owner /{,var/}run/user/*/@{APP_PKGNAME}/{,**}
  - ubuntu/*/unconfined: allow unix
  - ubuntu/webview:
    + allow oxide to talk to sandbox via unix sockets
    + allow sandbox to talk to @{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION}
      peer
    + allow various unix perms from base abstract for the sandbox to use
      unix sockets
  - debian/control: Depends on apparmor >= 2.8.96~2541-0ubuntu4
* ubuntu/webview: use @{APP_PKGNAME}_@{APP_APPNAME}_@{APP_VERSION} for
  signal now that we have @{APP_APPNAME} available (LP: #1363112)
* ubuntu/debug: 'audit deny @{HOME}/.local/share/ r' which is used by the
  SDK to see if confined
* debian/control: Depends on apparmor >= 2.8.96~2541-0ubuntu4~

files modified:
data/policygroups/ubuntu/1.1/debug

data/policygroups/ubuntu/1.1/webview

data/templates/ubuntu/1.0/ubuntu-sdk

data/templates/ubuntu/1.0/ubuntu-webapp

data/templates/ubuntu/1.0/unconfined

data/templates/ubuntu/1.1/ubuntu-sdk

data/templates/ubuntu/1.1/ubuntu-webapp

data/templates/ubuntu/1.2/ubuntu-scope-network

debian/changelog

debian/control

Show diffs side-by-side

added added

removed removed

data/templates/ubuntu/1.1/ubuntu-webapp

#include "/usr/share/apparmor/hardware/graphics.d"

# DBus rules common for all webapps

# IPC rules common for all webapps

# Allow connecting to session bus and where to connect to services

dbus (send)

bus=session

path=/org/freedesktop/DBus

interface=org.freedesktop.DBus

member=Hello

peer=(name=org.freedesktop.DBus),

dbus (send)

bus=session

path=/org/freedesktop/{db,DB}us

interface=org.freedesktop.DBus

member={Add,Remove}Match

peer=(name=org.freedesktop.DBus),

# NameHasOwner and GetNameOwner could leak running processes and apps

# depending on how services are implemented

dbus (send)

bus=session

path=/org/freedesktop/DBus

interface=org.freedesktop.DBus

member=GetNameOwner

peer=(name=org.freedesktop.DBus),

dbus (send)

bus=session

path=/org/freedesktop/DBus

interface=org.freedesktop.DBus

member=NameHasOwner

peer=(name=org.freedesktop.DBus),

# Allow starting services on the session bus (actual communications with

# the service are mediated elsewhere)

dbus (send)

bus=session

path=/org/freedesktop/DBus

interface=org.freedesktop.DBus

member=StartServiceByName

peer=(name=org.freedesktop.DBus),

#include <abstractions/dbus-session-strict>

# Allow connecting to system bus and where to connect to services. Put these

# here so we don't need to repeat these rules in multiple places (actual

# communications with any system services is mediated elsewhere). This does

# allow apps to brute-force enumerate system services, but our system

# services aren't a secret.

/{,var/}run/dbus/system_bus_socket rw,

dbus (send)

bus=system

path=/org/freedesktop/DBus

interface=org.freedesktop.DBus

member=Hello

peer=(name=org.freedesktop.DBus),

dbus (send)

bus=system

path=/org/freedesktop/{db,DB}us

interface=org.freedesktop.DBus

member={Add,Remove}Match

peer=(name=org.freedesktop.DBus),

# NameHasOwner and GetNameOwner could leak running processes and apps

# depending on how services are implemented

dbus (send)

bus=system

path=/org/freedesktop/DBus

interface=org.freedesktop.DBus

member=GetNameOwner

100

peer=(name=org.freedesktop.DBus),

101

dbus (send)

102

bus=system

103

path=/org/freedesktop/DBus

104

interface=org.freedesktop.DBus

105

member=NameHasOwner

106

peer=(name=org.freedesktop.DBus),

107

108

# Allow starting services on the system bus (actual communications with

109

# the service are mediated elsewhere)

110

dbus (send)

111

bus=system

112

path=/org/freedesktop/DBus

113

interface=org.freedesktop.DBus

114

member=StartServiceByName

115

peer=(name=org.freedesktop.DBus),

#include <abstractions/dbus-strict>

116

117

# Unity shell

118

dbus (send)

189

120

interface="org.freedesktop.DBus.Properties"

190

121

member=Get

191

122

peer=(name=org.maliit.server),

123

unix (connect, receive, send)

124

type=stream

125

peer=(addr="@/tmp/maliit-server/dbus-*"),

192

126

193

127

# usensors

194

128

dbus (send)

254

188

audit deny /dev/input/** rw,

255

189

deny /dev/fb0 rw, # don't use 'audit' since it is too noisy with the camera

256

190

257

# FIXME: ought to go in a dbus abstraction, but dbus-session is too loose

258

/etc/machine-id r,

259

/var/lib/dbus/machine-id r,

260

261

191

# subset of GNOME stuff

262

192

/{,custom/}usr/share/icons/** r,

263

193

/{,custom/}usr/share/themes/** r,

455

385

owner @{HOME}/.config/@{APP_PKGNAME}/** mrwkl,

456

386

owner @{HOME}/.local/share/@{APP_PKGNAME}/ rw, # subdir of XDG_DATA_HOME

457

387

owner @{HOME}/.local/share/@{APP_PKGNAME}/** mrwklix,

458

owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR

388

owner /{,var/}run/user/*/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR

389

owner /{,var/}run/user/*/@{APP_PKGNAME}/** mrwkl,

390

owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/ rw, # subdir of XDG_RUNTIME_DIR (for TMPDIR)

459

391

owner /{,var/}run/user/*/confined/@{APP_PKGNAME}/** mrwkl,

460

392

461

393

###ABSTRACTIONS###

Older »