[apparmor] [Merge] lp:~intrigeri/apparmor-profiles/gstreamer-abstraction into lp:apparmor-profiles

Mon Jul 28 03:48:27 UTC 2014

On Sat, Jul 26, 2014 at 03:09:23PM -0000, intrigeri wrote:
> OK, apparently it's easier for you folks to review stuff proposed on lp than submitted to the mailing-list, so... here we go :)

> https://code.launchpad.net/~intrigeri/apparmor-profiles/gstreamer-abstraction/+merge/228398

Sorry. Maybe it's just harder to lose track of...

This looks like a good cleanup to me. It does seem a bit strange that
/usr/bin/totem brings in a totem abstraction which then brings in the
gstreamer abstraction. And I don't understand why pkcs11 support is
included in any of these (but that's not new, I've never understood why
it's included.)

So while I don't want to block this on figuring out the totem abstraction
I do wonder if we want/need it, and wonder why we've got the p11-kit
abstraction included here.

Thanks

> === added file 'ubuntu/14.10/abstractions/gstreamer'
> --- ubuntu/14.10/abstractions/gstreamer	1970-01-01 00:00:00 +0000
> +++ ubuntu/14.10/abstractions/gstreamer	2014-07-26 15:08:59 +0000
> @@ -0,0 +1,15 @@
> +# vim:syntax=apparmor
> +
> +  #include <abstractions/p11-kit>
> +
> +  /etc/udev/udev.conf r,
> +
> +  # /dev/shm is a symlink to /run/shm on ubuntu
> +  owner /{dev,run}/shm/shmfd-* rw,
> +
> +  /run/udev/data/+pci:* r,
> +
> +  /sys/devices/pci[0-9]*/**/{busnum,devnum,descriptors,speed,uevent} r,
> +
> +  owner /tmp/orcexec.* mrw,
> +  owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
> 
> === modified file 'ubuntu/14.10/abstractions/totem'
> --- ubuntu/14.10/abstractions/totem	2014-07-22 15:26:03 +0000
> +++ ubuntu/14.10/abstractions/totem	2014-07-26 15:08:59 +0000
> @@ -16,9 +16,9 @@
>  # a maintenance problem and doesn't work for files without extensions.
>  
>    #include <abstractions/gnome>
> +  #include <abstractions/gstreamer>
>    #include <abstractions/nameservice>
>    #include <abstractions/dbus-session>
> -  #include <abstractions/p11-kit>
>  
>    # Allow read on all directories
>    /**/ r,
> @@ -28,14 +28,7 @@
>    /usr/share/** r,
>    /{media,mnt,opt,srv}/** r,
>  
> -  owner /tmp/orcexec.* m,
> -
> -  /etc/wildmidi/wildmidi.cfg r,
> -
> -  /usr/lib/@{multiarch}/libproxy/*/modules/*.so mr,
> -  /usr/lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so m,
> -  /usr/lib/frei0r-[0-9]/*.so m,
> -  /usr/lib/@{multiarch}/gstreamer[0-9].[0-9]/gstreamer-[0-9].[0-9]/gst-plugin-scanner Pix,
> +  /usr/lib/@{multiarch}/gstreamer[0-9].[0-9]/gstreamer-[0-9].[0-9]/gst-plugin-scanner Cix -> gst_plugin_scanner,
>  
>    owner @{HOME}/.cache/tracker/meta.db k,
>    owner @{HOME}/.cache/tracker/meta.db-shm k,
> 
> === added file 'ubuntu/14.10/gst_plugin_scanner'
> --- ubuntu/14.10/gst_plugin_scanner	1970-01-01 00:00:00 +0000
> +++ ubuntu/14.10/gst_plugin_scanner	2014-07-26 15:08:59 +0000
> @@ -0,0 +1,21 @@
> +# vim:syntax=apparmor
> +
> +profile gst_plugin_scanner {
> +  #include <abstractions/base>
> +  #include <abstractions/gstreamer>
> +  #include <abstractions/X>
> +
> +  /dev/ r,
> +  /dev/bus/usb/ r,
> +
> +  /sys/bus/ r,
> +  /sys/bus/usb/devices/ r,
> +  /sys/class/ r,
> +
> +  /etc/wildmidi/wildmidi.cfg r,
> +
> +  /usr/lib/frei0r-[0-9]/*.so m,
> +  # /usr/lib/@{multiarch}/dri/** mr,
> +  /usr/lib/@{multiarch}/libproxy/*/modules/*.so mr,
> +  /usr/lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so m,
> +}
> 
> === modified file 'ubuntu/14.10/usr.bin.totem'
> --- ubuntu/14.10/usr.bin.totem	2014-07-22 15:26:33 +0000
> +++ ubuntu/14.10/usr.bin.totem	2014-07-26 15:08:59 +0000
> @@ -9,13 +9,6 @@
>    #include <abstractions/python>
>    #include <abstractions/totem>
>  
> -  /etc/udev/udev.conf r,
> -  /sys/devices/pci[0-9]*/**/{busnum,devnum,descriptors,speed,uevent} r,
> -  /run/udev/data/+pci:* r,
> -
> -  # /dev/shm is a symlink to /run/shm on ubuntu
> -  owner /{dev,run}/shm/shmfd-* rw,
> -
>    # Maybe in an abstraction?
>    /usr/include/**/pyconfig.h r,
>  
> 

> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

-- 
https://code.launchpad.net/~intrigeri/apparmor-profiles/gstreamer-abstraction/+merge/228398
Your team AppArmor Developers is requested to review the proposed merge of lp:~intrigeri/apparmor-profiles/gstreamer-abstraction into lp:apparmor-profiles.