syncdaemon should have AppArmor profile
Bug #528274 reported by
Kees Cook
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu One Client |
Confirmed
|
High
|
Ubuntu One Client Engineering team | ||
ubuntuone-client (Ubuntu) |
Confirmed
|
Wishlist
|
Ubuntu One Client Engineering team | ||
Lucid |
Won't Fix
|
High
|
Rick McBride |
Bug Description
Binary package hint: ubuntuone-client
Since the syncdaemon should only be accessing files in a very specific location, I would like to see an AppArmor profile created for it by default to make sure it cannot be subverted or at least protect the rest of my files from it.
ProblemType: Bug
Architecture: amd64
Date: Fri Feb 26 00:21:13 2010
DistroRelease: Ubuntu 10.04
Package: ubuntuone-client 1.1.2-0ubuntu1
PackageArchitec
ProcEnviron:
LANGUAGE=
PATH=(custom, user)
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcVersionSign
SourcePackage: ubuntuone-client
Uname: Linux 2.6.32-14-generic x86_64
Related branches
lp:~rmcbride/ubuntu/lucid/ubuntuone-client/fix_528274
On hold
for merging
into
lp:ubuntu/lucid/ubuntuone-client
- Kees Cook: Approve
- Jamie Strandboge: Pending requested
- Ubuntu branches: Pending requested
-
Diff: 103 lines (+54/-0)7 files modifieddebian/apparmor-profile (+20/-0)
debian/changelog (+6/-0)
debian/control (+1/-0)
debian/rules (+4/-0)
debian/ubuntuone-client.dirs (+1/-0)
debian/ubuntuone-client.postinst (+12/-0)
debian/ubuntuone-client.postrm (+10/-0)
Changed in ubuntuone-client: | |
status: | New → Confirmed |
importance: | Undecided → High |
tags: | added: ops+ |
Changed in ubuntuone-client: | |
assignee: | nobody → Philip Fibiger (pfibiger) |
assignee: | Philip Fibiger (pfibiger) → Rick McBride (rmcbride) |
Changed in ubuntuone-client (Ubuntu Lucid): | |
status: | New → Confirmed |
importance: | Undecided → High |
assignee: | nobody → Rick McBride (rmcbride) |
Changed in ubuntuone-client: | |
status: | Confirmed → In Progress |
Changed in ubuntuone-client (Ubuntu Lucid): | |
status: | Confirmed → In Progress |
Changed in ubuntuone-client: | |
status: | In Progress → Fix Committed |
Changed in ubuntuone-client (Ubuntu Lucid): | |
status: | In Progress → Fix Committed |
Changed in ubuntuone-client: | |
status: | In Progress → Fix Committed |
Changed in ubuntuone-client (Ubuntu Lucid): | |
status: | In Progress → Fix Committed |
Changed in ubuntuone-client (Ubuntu Lucid): | |
milestone: | ubuntu-10.04-beta-1 → ubuntu-10.04-beta-2 |
Changed in ubuntuone-client: | |
status: | Fix Committed → In Progress |
Changed in ubuntuone-client (Ubuntu Lucid): | |
status: | Fix Committed → In Progress |
Changed in ubuntuone-client: | |
status: | In Progress → Confirmed |
Changed in ubuntuone-client (Ubuntu Lucid): | |
status: | In Progress → Confirmed |
Changed in ubuntuone-client (Ubuntu): | |
status: | Confirmed → In Progress |
Changed in ubuntuone-client: | |
status: | Confirmed → In Progress |
tags: | added: apparmor |
Changed in ubuntuone-client: | |
assignee: | Rick McBride (rmcbride) → Ubuntu One Desktop+ team (ubuntuone-desktop+) |
Changed in ubuntuone-client (Ubuntu): | |
assignee: | Rick McBride (rmcbride) → Ubuntu One Desktop+ team (ubuntuone-desktop+) |
Changed in ubuntuone-client (Ubuntu): | |
importance: | High → Wishlist |
To post a comment you must log in.
Here's a profile that works for me -- likely will need to be tuned for new user directory creation, but that should be trivial.
This should ship in the package in /etc/apparmor.d and gain the appropriate maintainer-script stanzas to activate the profile on install. For more details see: /help.ubuntu. com/community/ AppArmor# Creating% 20a%20new% 20profile
https:/