consider shipping apparmor profile for webbrowser-app
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical System Image |
Fix Released
|
Critical
|
Bill Filler | ||
webbrowser-app (Ubuntu) |
Fix Released
|
Critical
|
Olivier Tilloy |
Bug Description
It would be nice if webbrowser-app itself could ship an apparmor profile. Since we are already confining webapps, we can leverage aa-easyprof to generate the apparmor profile. Eg, in debian/rules could have a target :
apparmor:
aa-easyprof --policy-
-t ubuntu-webapp \
grep -v CLICK_DIR | \
sed 's/signal peer=@{
> ./debian/
In this manner, you could this to update the apparmor profile:
$ debian/rules apparmor
I use '--no-verify' because we need to very lightly tidy up the profile with the 'grep -v' and the 'sed', which is why after it is cleaned I run 'apparmor_parser -QTK' on the profile to verify it. This could probably be done as part of the build too. Once the profile is in place, you can simply do something along the lines of http://
I have lightly tested this on the phone for the following:
* http
* https
* sharing to messaging app
* url-dispatcher via messaging-app to open a link (with the browser open and closed)
* maps.google.com (prompted for access)
* youtube (one denial: apparmor="DENIED" operation=
* html5.groovesha
* grooveshark via music scope
I also even more lightly tested it on the desktop, and it appears to work ok.
Note: there is one denial on startup, but this is expected:
Aug 13 13:21:33 localhost dbus[10795]: apparmor="DENIED" operation=
I may be out of date on me phone (it only has promoted), but this should go away when the webbrowser-app portion of bug #1342129 is fixed.
Note2: the youtube denial will go away when oxide has media-hub integration. If we really want this profile for rtm and oxide doesn't have media-hub integration, I would need to either update aa-easyprof to allow adding dbus rules, or we can add an additional sed to add a rule for this.
Note3: instead of specifying all the command line args to aa-easyprof, we can also supply a json file for it to use.
Note4: it might be simpler to supply a easyprof json manifest file, which does the same as the above command line version. Here is an updated command to create the file, which also adds a rule for controlling the display:
apparmor:
aa-easyprof -m ./debian/
--no-verify | \
egrep -v '(# Click packages|
sed 's/signal peer=@{
sed 's:^}: dbus (receive,send) bus=system path=/com/
> ./debian/
Related branches
- PS Jenkins bot: Needs Fixing (continuous-integration)
- Jamie Strandboge: Approve
- Ubuntu Phablet Team: Pending requested
-
Diff: 111 lines (+56/-2)6 files modified.bzrignore (+1/-0)
debian/control (+5/-1)
debian/rules (+12/-1)
debian/webbrowser-app-apparmor.manifest (+36/-0)
debian/webbrowser-app.dirs (+1/-0)
debian/webbrowser-app.install (+1/-0)
description: | updated |
description: | updated |
description: | updated |
Changed in webbrowser-app (Ubuntu): | |
importance: | Undecided → Wishlist |
Changed in webbrowser-app (Ubuntu): | |
assignee: | nobody → Olivier Tilloy (osomon) |
status: | New → Confirmed |
Changed in webbrowser-app (Ubuntu): | |
importance: | Wishlist → Critical |
Changed in webbrowser-app: | |
status: | Triaged → Invalid |
assignee: | Olivier Tilloy (osomon) → nobody |
no longer affects: | webbrowser-app |
Changed in webbrowser-app (Ubuntu RTM): | |
status: | New → Confirmed |
importance: | Undecided → Critical |
assignee: | nobody → Olivier Tilloy (osomon) |
Changed in canonical-devices-system-image: | |
assignee: | nobody → Bill Filler (bfiller) |
importance: | Undecided → Critical |
milestone: | none → ww46-2015 |
status: | New → Confirmed |
Changed in webbrowser-app (Ubuntu): | |
status: | Confirmed → In Progress |
no longer affects: | webbrowser-app (Ubuntu RTM) |
Changed in canonical-devices-system-image: | |
milestone: | ww46-2015 → ww40-2015 |
Changed in canonical-devices-system-image: | |
status: | Confirmed → Fix Committed |
Changed in canonical-devices-system-image: | |
status: | Fix Committed → Fix Released |
Thanks for looking into this Jamie!
I’d really like to have webbrowser-app run confined for RTM, if possible (not a hard requirement, but a very nice to have). Unity/Screen denial indeed, as otherwise video playback won’t be allowed to prevent screen blanking.
If we go for this profile, we’ll need to fix the /com/canonical/
I’m not sure I understand why this profile needs to be generated at build time, can you enlighten me? Wouldn’t it be fine to ship a static profile? (pardon my apparmor ignorance if this is a dumb question)