debug policy group

Bug #1323233 reported by Seth Arnold on 2014-05-26
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor-easyprof-ubuntu (Ubuntu)
Jamie Strandboge

Bug Description

We should provide a "debug" policy group that could allow developers to use gdbserver and similar debugging tools; the SDK team has a wrapper script that runs gdbserver. We'd like to debug application startup while retaining the "usual confinement" rules.

Of course, the addition of a new policy group will add new privileges, but hopefully it would still be an improvement over running unconfined in order to use debuggers.

We'd like both gdbserver and qmljs available.

description: updated
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in click-apparmor (Ubuntu):
status: New → Confirmed

This is a pressing issue, since we currently have to use very ugly hacks to debug on the system.

Note that it will be required to debug scopes as well probably. Also the store has to reject that
policy if its used in the manifest file.

Jamie Strandboge (jdstrand) wrote :

The attached script takes a json file. Can you provide typical examples of json files?

Changed in click-apparmor (Ubuntu):
status: Confirmed → Incomplete
assignee: nobody → Jamie Strandboge (jdstrand)

The typical json file would look like this:

  "qmlDebug": "port:1234,block",
  "env": {
    "key1": "value1",
    "key2": "value2"
  "gdbPort": "1234"

It defines which debug modes are needed and
the ports to be used for that. Also it is possible
to set environment variables.
This file is created by the SDK launcher:

affects: click-apparmor (Ubuntu) → apparmor-easyprof-ubuntu (Ubuntu)
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Incomplete → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.2.4

apparmor-easyprof-ubuntu (1.2.4) utopic; urgency=medium

  * ubuntu/1.2: refinements to scopes policy
    - use private-files-strict abstraction
    - finetune client endpoint policy
    - explicitly deny access to the zmq directory for the ubuntu-sdk and
      ubuntu-webapp templates
    - explicitly deny direct interaction with URL dispatcher to prevent data
    - move ubuntu-scope-local-content template to 'pending' since there are
      unresolved issues surrounding its interaction with URL dispatcher.
      Adjust autopkgtests accordingly
  * ubuntu/calendar: update for upcoming calendar management landing
  * ubuntu/*/audio,video: add mediascanner2 DBus access (LP: #1303962)
  * ubuntu/1.[12]/music_files_read: remove temporary access to
    @{HOME}/.cache/mediascanner/ now that we have policy for mediascanner2
    DBus access. Note: normally this would require the change in only the
    latest policy, but this policy group has only been used by the music-app
    and it is still unconfined
  * ubuntu/1.1: also ship debug policy group for 1.1 policy and update
    autopkgtests for this (LP: #1323233)
 -- Jamie Strandboge <email address hidden> Fri, 06 Jun 2014 07:37:54 -0500

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers