Comment 5 for bug 1296415

Jamie Strandboge (jdstrand) wrote :

I think I was wrong about rild and was hitting another issue.

I seem to have this all working locally by creating profiles for:
  usr.bin.nuntium
  usr.bin.powerd
  usr.bin.system-settings
  usr.lib.indicator-network-service
  usr.lib.urfkilld
  usr.sbin.NetworkManager
  usr.sbin.ofonod

then adjusting these upstart jobs to load the profile prior to launch (I may end up adjusting all the upstart jobs to be sure):
  ofono.conf
  powerd.conf
  urfkill.conf

To demonstrate what this looks like, the ofonod profile has:
# Permissive profile limit dbus access
/usr/sbin/ofonod (attach_disconnected) {
...

  # We can do anything on dbus
  dbus (bind, send),

  # Some methods are ok by anyone (ie, dbus-daemon itself)
  dbus (receive)
       bus=system
       interface="org.freedesktop.DBus.Properties",

  # Limit who can connect on DBus to processes with these apparmor labels (LP: #1296415)
  dbus (receive) peer=(label=/usr/lib/*/indicator-network/indicator-network-service),
  dbus (receive) peer=(label=/usr/sbin/NetworkManager),
  dbus (receive) peer=(label=/usr/bin/nuntium),
  dbus (receive) peer=(label=/usr/bin/powerd),
  dbus (receive) peer=(label=/usr/bin/system-settings),
  dbus (receive) peer=(label=/usr/lib/*/urfkill/urfkilld),
  dbus (receive) peer=(label=/usr/lib/telepathy/telepathy-ofono),
  dbus (receive) peer=(label=ofono_scripts),
...
}

profile ofono_scripts /usr/share/ofono/scripts/* (attach_disconnected) {
  capability,
  mount,
  remount,
  umount,
  network,
  dbus,
  ptrace,
  signal,

  / rwkl,
  /** rwlkmix,
}

All of the peers have permissive profiles ala the 'ofono_scripts' policy above. Each then gets an apparmor label for it, and the ofonod apparmor policy allows connections from only those labels (not even unconfined can connect). Light testing shows that 'list-modems' and 'online-modem' from /usr/share/ofono/scripts work fine and on reboot the phone comes up and connects to 3G and generally seems to work ok. indicator-network and settings all work correctly when switching back and forth between wifi and 3g). Toggling cellular data works.

I did notice that ubuntu-download-manager gets a denial:
Jun 4 10:19:42 ubuntu-phablet dbus[756]: apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.ofono.Manager" member="GetModems" name=":1.77" mask="receive" pid=1350 profile="/usr/sbin/ofonod" peer_pid=4086 peer_profile="unconfined"
Jun 4 10:19:42 ubuntu-phablet dbus[756]: message repeated 16 times: [ apparmor="DENIED" operation="dbus_method_call" bus="system" path="/" interface="org.ofono.Manager" member="GetModems" name=":1.77" mask="receive" pid=1350 profile="/usr/sbin/ofonod" peer_pid=4086 peer_profile="unconfined"]

# ps auxww|grep 4086
root 4086 2.0 0.4 65996 7776 ? Sl 10:19 0:00 /usr/bin/ubuntu-download-manager

Should ubuntu-download-manager be added to the list?