[Merge] lp:~phablet-team/messaging-app/add-apparmor-profile into lp:messaging-app
Jamie Strandboge
jamie at ubuntu.com
Fri Jan 8 22:17:00 UTC 2016
Review: Needs Fixing
I know why you used 'messaging_app' as the profile name (to work around a bug in media-hub), but I think it would be better to use 'com.ubuntu.messaging-app_ui_0' (chosen based on paths in .local/share, etc) for a few reasons:
* this might avoid bugs in other software
* if the messaging-app becomes a click/snap then the APP_ID will be parsed in the same manner
* if the messaging-app becomes a click/snap then you'll be able to use the same data directories
* if the messaging-app contacts a trusted-helper that uses trust-store, the trust-store will have 'messaging-app' in its db rather than 'messaging_app', reducing the need for coordination or potential prompts
* you should be able to clean up the read_path and write_path to remove these since they will already be included in the profile:
"@{HOME}/.cache/com.ubuntu.messaging-app/MessagingApp/HubIncoming/**",
"@{HOME}/.config/com.ubuntu.messaging-app/",
"@{HOME}/.local/share/com.ubuntu.messaging-app/"
Changing this means changing APP_PKGNAME, APP_ID_DBUS and APP_PKGNAME_DBUS accordingly (note, they are currently not correct for 'messaging_app', which is messaging_5fapp):
* APP_ID_DBUS: com_2eubuntu_2emessaging_2dapp_5fui_5f0
* APP_PKGNAME_DBUS: com_2eubuntu_2emessaging_2dapp
* APP_PKGNAME: com.ubuntu.messaging-app
Other questions:
* why are you using the user-tmp abstraction? I suggest adjusting your code to use an app-specific directory
* why is @{HOME}/.local/share/applications/ needed in read_path? This gives read access to everything under @{HOME}/.local/share/applications/
* does messaging-app actually use dconf for anything? If not, I suggest changing the rules in the sed to deny rules. If so, I think you are going to have to adjust the sed for the 'deny' rules in the default policy for dconf (look for '# LP: #1378115' in the profile for where these are) as well as add some dbus policy.
Finally, please see https://code.launchpad.net/~tiagosh/apparmor-easyprof-ubuntu/messaging-app-confinement/+merge/281769/comments/715449. Rather than adjusting the history policy group and creating the urfkill and telepathy policy groups, add those rules to this profile.
--
https://code.launchpad.net/~phablet-team/messaging-app/add-apparmor-profile/+merge/282029
Your team Ubuntu Phablet Team is subscribed to branch lp:~phablet-team/messaging-app/fix_history_reloading.
More information about the Ubuntu-reviews
mailing list