[Bug 1197047] Re: SDK applications create /tmp/*.sci files

[Jamie Strandboge]

apparmor-easyprof-ubuntu has this access now. upstart-app-launch also
sets up TMPDIR via upstart-app-launch/click-exec. What is left is for
click and upstart-app-launch to use aa-exec-click (from click-apparmor)
instead of aa-exec.

** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
       Status: New => Fix Released

** Also affects: upstart-app-launch (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: upstart-app-launch (Ubuntu)
       Status: New => Triaged

** Changed in: upstart-app-launch (Ubuntu)
   Importance: Undecided => High

** Also affects: click (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to click in Ubuntu.
https://bugs.launchpad.net/bugs/1197047

Title:
  SDK applications create /tmp/*.sci files

Status in Ubuntu UI Toolkit:
  Invalid
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
  Fix Released
Status in “click” package in Ubuntu:
  New
Status in “upstart-app-launch” package in Ubuntu:
  Triaged

Bug description:
  Launching an Ubuntu SDK (QML) application under application confinement results in the following denial:
  apparmor="DENIED" operation="mknod" parent=8803 profile="ubuntu-calculator-app" name="/tmp/TJ8938.sci" pid=8938 comm="qmlscene" requested_mask="c" denied_mask="c" fsuid=32011 ouid=32011

  We currently have the following AppArmor rule to deal with this:
     owner /tmp/*.sci rwk,

  But this rule is too lenient and this path needs to be made
  application specific. Specifically: $XDG_RUNTIME_DIR/<app id> where
  '<app id>' will ultimately be the reverse domain name with Click
  packages (see bug #1197037 for details on '<app id>').

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-ui-toolkit/+bug/1197047/+subscriptions