[apparmor] [PATCH/apparmor-profiles] Add profile for /usr/share/update-notifier/notify-reboot-required

Steve Beattie steve at nxnw.org
Fri Jul 1 13:54:51 UTC 2016 

Hi,

On Fri, Jul 01, 2016 at 09:46:10AM +0200, intrigeri wrote:
> Steve Beattie wrote (30 Jun 2016 19:00:59 GMT) :
> > +profile notify-reboot-required /usr/share/update-notifier/notify-reboot-required {
> 
> On Debian Jessie and newer, this file is not provided by the
> update-notifier package anymore: that binary package is now built from
> src:gnome-packagekit.

The update-notifier package there is a transitional empty package.

> Instead, we've introduced a tiny package called reboot-notifier (in
> testing/sid and in jessie-backports) that provides the same interface
> as the old update-notifier's.
> 
> I'm not sure how this works in Ubuntu, so I'd like to ask: was this
> tested on a system where
> /usr/share/update-notifier/notify-reboot-required is provided by the
> reboot-notifier package, e.g. Debian testing/sid? Or only with
> Ubuntu's update-notifier?

I was unaware of the above. The profile was tested only with Ubuntu's
update-notifier. That said, I pulled down the source package for
reboot-notifier, and it's even more stripped down than the Ubuntu
update-notifier script.

Entirely untested with reboot-notifier, but the following should work:

diff --git a/ubuntu/16.04/usr.share.update-notifier.notify-reboot-required b/ubuntu/16.04/usr.share.update-notifier.notify-reboot-required
index 5649d0d..9e97035 100644
--- a/ubuntu/16.04/usr.share.update-notifier.notify-reboot-required
+++ b/ubuntu/16.04/usr.share.update-notifier.notify-reboot-required
@@ -4,13 +4,13 @@
 
 #include <tunables/global>
 
-profile notify-reboot-required /usr/share/update-notifier/notify-reboot-required {
+profile notify-reboot-required /usr/share/{update,reboot}-notifier/notify-reboot-required {
 
   #include <abstractions/base>
 
   /usr/bin/gettext Pix,
 
-  /usr/share/update-notifier/notify-reboot-required r,
+  /usr/share/{update,reboot}-notifier/notify-reboot-required r,
 
   /{var/,}run/reboot-required rw,
   /{var/,}run/reboot-required.pkgs rw,

Unless you'd rather they be distinct profiles?

(I'd apply the same changes to the copy in the 16.10/ directory
as well.)

Thanks fr the feedback!

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160701/c94a4252/attachment.pgp>

More information about the AppArmor mailing list