The org.freedesktop.DBus.GetConnectionAppArmorSecurityContext() method is deprecated

From what I can see, GetConnectionCredentials() does not quite return the same information as GetConnectionAppArmorSecurityContext(). With the new API, I get back a value like "profile_name (enforce)".

I can extract the profile name using aa_splitcon(), but this was only added in libapparmor 2.10. Unfortunately vivid only provides version 2.9.1.

We're going to be stuck supporting vivid for a while, so I guess there are two ways to solve this:

1. someone uploads a new libapparmor build for vivid to the stable-phone-overlay PPA.
2. I provide my own version of the label splitting code in my project.

(1) seems like the preferable option, since it would reduce code duplication over all the projects listed in this bug.

So is there any chance of getting a libapparmor backport in the overlay PPA?

Yes, there's a chance but the patch set to add aa_splitcon() cannot be trivially backported to the overlay PPA's apparmor package. It'll take some work and testing. A lot of big libapparmor changes landed in apparmor between 2.9.1 and when aa_splitcon() landed.

I've completed the backport and prepared an upload. I've spent more time on this than I should have and will not be able to see it through the landing process at this time. If someone can take this forward and land it, please go ahead and do so.

The backport includes unit tests that run at build time and those have passed. I haven't done any additional testing. Here's the AppArmor test plan:

  https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor

Since this would only be going to the Vivid overlay PPA, there's no need to perform the Desktop specific tests in the test plan.

James, is this something that you could land using the same silo as your mediascanner2 changes?

This bug was fixed in the package mediascanner2 - 0.112+16.10.20160909-0ubuntu1

---------------
mediascanner2 (0.112+16.10.20160909-0ubuntu1) yakkety; urgency=medium

  [ James Henstridge ]
  * When multiple volumes are mounted in quick succession, scan them
    serially to avoid reentrancy problems in the initial scan. (LP:
    #1489656)
  * Add apparmor-easyprof hardware directories to package so AppArmor
    profile can compile when apparmor-easyprof-ubuntu isn't installed.
    (LP: #1443693)
  * Disable optimisation when compiling dbus-codec.cc to avoid gcc 6
    compilation bug. (LP: #1621002)
  * Replace deprecated use of GetConnectionAppArmorSecurityContext
    method with GetConnectionCredentials. (LP: #1489489)

  [ You-Sheng Yang ]
  * Update mediascanner-extractor apparmor profile to cover Android
    library locations on 64-bit systems.

 -- James Henstridge <email address hidden> Fri, 09 Sep 2016 13:46:43 +0000

Tyler: thanks for the package debdiff. It has now been landed in stable-phone-overlay together with the updated mediascanner2 packages.

The attached branch may be of help in fixing other dbus-cpp use cases (media-hub and content-hub?)

This bug was fixed in the package signon-apparmor-extension - 0.1+16.10.20161004-0ubuntu1

---------------
signon-apparmor-extension (0.1+16.10.20161004-0ubuntu1) yakkety; urgency=medium

  * Use GetConnectionCredentials() method instead of the deprecated
    apparmor-specific method. (LP: #1489489)

 -- Alberto Mardegan <email address hidden> Tue, 04 Oct 2016 07:19:54 +0000

This bug was fixed in the package ubuntu-system-settings-online-accounts - 0.7+16.10.20161006.2-0ubuntu1

---------------
ubuntu-system-settings-online-accounts (0.7+16.10.20161006.2-0ubuntu1) yakkety; urgency=medium

  * Use GetConnectionCredentials() method instead of the deprecated
    apparmor-specific method. (LP: #1489489)
  * Re-enable tests for powerpc, disable arm64

 -- Alberto Mardegan <email address hidden> Thu, 06 Oct 2016 09:59:28 +0000