apparmor prevents showing new click containers

Bug #1590453 reported by Kyle Nitzsche
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Libertine Scope
Status tracked in Trunk
Release
Medium
Christopher Townsend
Trunk
Medium
Christopher Townsend
libertine-scope (Ubuntu)
Medium
Christopher Townsend

Bug Description

The scope apparmor file provides a hard coded path to where it can read to find installed containers:
    "read_path": [
        "@{HOME}/.local/share/libertine/",
        "@{HOME}/.cache/libertine-container/",
        "@{CLICK_DIR}/com.ubuntu.puritine/",

That last line limits where it can find containers and it therefore only allows containers to be installed by a click with exactly the name com.ubuntu.puritine.

Expectation:
* I could install another click pkg with another container and it would display in the scope.

What happens:
* the new differently named container does not display in the scope (but it is listed by libertine-container-manager list)

Possible fix:
* work with apparmor/security folks to enable something like this:
"@{CLICK_DIR}/*puritine*/", the result being that the scope could find and display any container delievered by any click that has "puritine" in its name.

Related branches

Revision history for this message
Christopher Townsend (townsend) wrote :

Ok, got security's approval for this change:

(10:13:56 AM) ChrisTownsend: jdstrand: Hi! I have a follow up question to the libertine-scope read_path confinement. Currently, we have "@{CLICK_DIR}/com.ubuntu.puritine/". Would you accept "@{CLICK_DIR}/*puritine*/" instead to allow custom puritine clicks to work that have the name "puritine" in it's click package name?

(11:38:40 AM) jdstrand: ChrisTownsend: hey-- custom puritine clicks? can you explain what those are exactly?

(12:21:26 PM) ChrisTownsend: jdstrand: So, there is a commercial project going on to make a custom puritine click with apps that they want in it- (name redacted) is the customer and kyleN is working on it. So, really, I'd to change the read_path to account for any number of these clicks so the Libertine Scope can surface and launch the apps.

(12:27:39 PM) jdstrand: ChrisTownsend: that seems fine, yes

(12:28:17 PM) ChrisTownsend: jdstrand: Ok, thanks.

Changed in libertine-scope (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Libertine CI Bot (libertine-ci-bot) wrote :

Fix committed into lp:libertine-scope at revision 46, scheduled for release in libertine-scope, milestone Unknown

Changed in libertine-scope:
status: In Progress → Fix Committed
Changed in libertine-scope (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Christopher Townsend (townsend)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libertine-scope - 1.3+16.10.20160616-0ubuntu1

---------------
libertine-scope (1.3+16.10.20160616-0ubuntu1) yakkety; urgency=medium

  [ Chris Townsend ]
  * Use wildcard matching for allowing reading any puritine click package paths
    that have the name "puritine" anywhere in the Click package name. (LP: #1590453)

  [ Kyle Nitzsche ]
  * Replace the scope settings approach to suppress display of apps with a scope
    filter based approach. This provides a blacklist file for permanent suppression
    and filters for user suppression.
  * Provide a "Hidden X Apps" department for a place to store the apps hidden in
    the main scope view, so they can be unhidden later if desired.
  * Hide 'Help' by default for all containers. (LP: #1591511)
  * Removed Settings. (LP: #1591494)

  [ Larry Price ]
  * Refactor Query class for consistent style and extract some functionality to
    helper classes.
  * Show a message when no apps are available due to filters or no apps installed.
    (LP: #1589699)

 -- Christopher Townsend <email address hidden> Thu, 16 Jun 2016 14:59:30 +0000

Changed in libertine-scope (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers