Merge lp://qastaging/~jdstrand/firefox/firefox-3.5-apparmor into lp://qastaging/firefox/3.5
- firefox-3.5-apparmor
- Merge into firefox-3.5.head
Proposed by
Jamie Strandboge
Status: | Merged |
---|---|
Merge reported by: | Jamie Strandboge |
Merged at revision: | not available |
Proposed branch: | lp://qastaging/~jdstrand/firefox/firefox-3.5-apparmor |
Merge into: | lp://qastaging/firefox/3.5 |
Diff against target: | None lines |
To merge this branch: | bzr merge lp://qastaging/~jdstrand/firefox/firefox-3.5-apparmor |
Related bugs: |
This proposal supersedes a proposal from 2009-08-13.
Commit message
Description of the change
To post a comment you must log in.
Revision history for this message
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Alexander Sack (asac) wrote : Posted in a previous version of this proposal | # |
review:
Needs Resubmitting
Revision history for this message
![](/+icing/build/overlay/assets/skins/sam/images/close.gif)
Jamie Strandboge (jdstrand) wrote : Posted in a previous version of this proposal | # |
Files added and changelog updated.
- 460. By Jamie Strandboge
-
fix typo in changelog
Preview Diff
[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1 | === added file 'debian/README.Debian.in' |
2 | --- debian/README.Debian.in 1970-01-01 00:00:00 +0000 |
3 | +++ debian/README.Debian.in 2009-09-02 14:55:19 +0000 |
4 | @@ -0,0 +1,11 @@ |
5 | +Apparmor Profile |
6 | +---------------- |
7 | +If your system uses AppArmor, please note that the shipped profile is disabled |
8 | +by default. The profile can be enabled by performing: |
9 | + |
10 | +$ sudo aa-enforce /etc/apparmor.d/usr.bin.@APPNAME@ |
11 | + |
12 | +This profile should work without modification for most plugins available in |
13 | +Ubuntu, but may require adjusting for your environment. Please see |
14 | +https://wiki.ubuntu.com/DebuggingApparmor before filing a bug against this |
15 | +software. |
16 | |
17 | === modified file 'debian/apport/firefox-3.5.py' |
18 | --- debian/apport/firefox-3.5.py 2009-08-08 14:58:53 +0000 |
19 | +++ debian/apport/firefox-3.5.py 2009-09-02 14:55:19 +0000 |
20 | @@ -84,6 +84,37 @@ |
21 | summary += '''\n''' |
22 | return summary |
23 | |
24 | +def recent_kernlog(pattern): |
25 | + '''Extract recent messages from kern.log or message which match a regex. |
26 | + pattern should be a "re" object. ''' |
27 | + lines = '' |
28 | + if os.path.exists('/var/log/kern.log'): |
29 | + file = '/var/log/kern.log' |
30 | + elif os.path.exists('/var/log/messages'): |
31 | + file = '/var/log/messages' |
32 | + else: |
33 | + return lines |
34 | + |
35 | + for line in open(file): |
36 | + if pattern.search(line): |
37 | + lines += line |
38 | + return lines |
39 | + |
40 | +def recent_auditlog(pattern): |
41 | + '''Extract recent messages from kern.log or message which match a regex. |
42 | + pattern should be a "re" object. ''' |
43 | + lines = '' |
44 | + if os.path.exists('/var/log/audit/audit.log'): |
45 | + file = '/var/log/audit/audit.log' |
46 | + else: |
47 | + return lines |
48 | + |
49 | + for line in open(file): |
50 | + if pattern.search(line): |
51 | + lines += line |
52 | + return lines |
53 | + |
54 | + |
55 | def add_info(report): |
56 | '''adds hooked infor into the apport report.''' |
57 | config_dir = os.path.join(os.environ['HOME'], '.mozilla', 'firefox') |
58 | @@ -136,6 +167,30 @@ |
59 | print >> wbuffer, extension_summary |
60 | wbuffer.seek(0) |
61 | report['ExtensionSummary'] = wbuffer.read() |
62 | + |
63 | + # Get apparmor stuff if the profile isn't disabled. copied from |
64 | + # source_apparmor.py until apport runs hooks via attach_related_packages |
65 | + apparmor_disable_dir = "/etc/apparmor.d/disable" |
66 | + add_apparmor = True |
67 | + if os.path.isdir(apparmor_disable_dir): |
68 | + for f in os.listdir(apparmor_disable_dir): |
69 | + if f.startswith("usr.bin.firefox"): |
70 | + add_apparmor = False |
71 | + break |
72 | + if add_apparmor: |
73 | + attach_related_packages(report, ['apparmor', 'libapparmor1', |
74 | + 'libapparmor-perl', 'apparmor-utils', 'auditd', 'libaudit0']) |
75 | + |
76 | + attach_file(report, '/proc/version_signature', 'ProcVersionSignature') |
77 | + attach_file(report, '/proc/cmdline', 'ProcCmdline') |
78 | + |
79 | + sec_re = re.compile('audit\(|apparmor|selinux|security', re.IGNORECASE) |
80 | + report['KernLog'] = recent_kernlog(sec_re) |
81 | + |
82 | + if os.path.exists("/var/log/audit"): |
83 | + # this needs to be run as root |
84 | + report['AuditLog'] = recent_auditlog(sec_re) |
85 | + |
86 | # debug (comment on production) |
87 | # return report |
88 | |
89 | |
90 | === modified file 'debian/changelog' |
91 | --- debian/changelog 2009-08-10 15:06:32 +0000 |
92 | +++ debian/changelog 2009-09-02 14:55:19 +0000 |
93 | @@ -1,3 +1,21 @@ |
94 | +firefox-3.5 (3.5.2+nobinonly-0ubuntu3) UNRELEASED; urgency=low |
95 | + |
96 | + [ Jamie Strandboge <jamie@ubuntu.com ] |
97 | + * add AppArmor profile (disabled by default) (LP: #382917) |
98 | + - debian/firefox-3.5.dirs: add etc/apparmor.d/disable |
99 | + - add debian/firefox-3.5.preinst.in: disable the profile on new installs |
100 | + and upgrades to this version |
101 | + - debian/firefox-3.5.postinst.in: reload profile |
102 | + - add debian/firefox-3.5.postrm.in: cleanup force-complain and disable |
103 | + directories |
104 | + - add debian/usr.bin.firefox.apparmor.in |
105 | + - debian/rules: install profile |
106 | + - add debian/README.Debian.in with note about AppArmor |
107 | + - debian/apport/firefox-3.5.py: add AppArmor information if the profile is |
108 | + not disabled |
109 | + |
110 | + -- Jamie Strandboge <jamie@ubuntu.com> Thu, 13 Aug 2009 09:09:36 -0500 |
111 | + |
112 | firefox-3.5 (3.5.2+nobinonly-0ubuntu2) karmic; urgency=low |
113 | |
114 | Firefox 3.5 by default upload |
115 | |
116 | === modified file 'debian/firefox-3.5.dirs' |
117 | --- debian/firefox-3.5.dirs 2009-03-18 01:10:51 +0000 |
118 | +++ debian/firefox-3.5.dirs 2009-08-13 16:15:27 +0000 |
119 | @@ -1,3 +1,4 @@ |
120 | +etc/apparmor.d/disable |
121 | usr/lib/firefox-addons/extensions |
122 | usr/lib/firefox-addons/plugins |
123 | usr/lib/firefox-addons/searchplugins |
124 | |
125 | === modified file 'debian/firefox-3.5.postinst.in' |
126 | --- debian/firefox-3.5.postinst.in 2009-07-18 18:30:27 +0000 |
127 | +++ debian/firefox-3.5.postinst.in 2009-09-02 14:55:19 +0000 |
128 | @@ -10,6 +10,12 @@ |
129 | update-alternatives --install /usr/bin/x-www-browser \ |
130 | x-www-browser /usr/bin/$APPNAME 40 |
131 | touch $LIBDIR/.autoreg |
132 | + |
133 | + # Reload AppArmor profile |
134 | + APP_PROFILE="/etc/apparmor.d/usr.bin.$APPNAME" |
135 | + if [ -f "$APP_PROFILE" ] && aa-status --enabled 2>/dev/null; then |
136 | + apparmor_parser -r "$APP_PROFILE" || true |
137 | + fi |
138 | fi |
139 | |
140 | echo "Please restart all running instances of $APPNAME, or you will experience problems." |
141 | |
142 | === added file 'debian/firefox-3.5.postrm.in' |
143 | --- debian/firefox-3.5.postrm.in 1970-01-01 00:00:00 +0000 |
144 | +++ debian/firefox-3.5.postrm.in 2009-09-02 14:55:19 +0000 |
145 | @@ -0,0 +1,9 @@ |
146 | +#!/bin/sh |
147 | + |
148 | +set -e |
149 | + |
150 | +if [ "$1" = "purge" ]; then |
151 | + APP_PROFILE="usr.bin.@APPNAME@" |
152 | + rm -f /etc/apparmor.d/force-complain/$APP_PROFILE >/dev/null 2>&1 || true |
153 | + rm -f /etc/apparmor.d/disable/$APP_PROFILE >/dev/null 2>&1 || true |
154 | +fi |
155 | |
156 | === added file 'debian/firefox-3.5.preinst.in' |
157 | --- debian/firefox-3.5.preinst.in 1970-01-01 00:00:00 +0000 |
158 | +++ debian/firefox-3.5.preinst.in 2009-09-02 14:55:19 +0000 |
159 | @@ -0,0 +1,18 @@ |
160 | +#!/bin/sh |
161 | + |
162 | +set -e |
163 | + |
164 | +APP_PROFILE="usr.bin.@APPNAME@" |
165 | +APP_CONFFILE="/etc/apparmor.d/$APP_PROFILE" |
166 | +APP_DISABLE="/etc/apparmor.d/disable/$APP_PROFILE" |
167 | +if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then |
168 | + # Disable AppArmor profile on install or upgrade from earlier than when we |
169 | + # first shipped the profile if the user does not already have a profile |
170 | + # defined |
171 | + if dpkg --compare-versions "$2" lt 3.5.2+nobinonly-0ubuntu3 ; then |
172 | + if [ ! -e "$APP_CONFFILE" ]; then |
173 | + ln -sf $APP_CONFFILE $APP_DISABLE |
174 | + fi |
175 | + fi |
176 | +fi |
177 | + |
178 | |
179 | === modified file 'debian/rules' |
180 | --- debian/rules 2009-08-10 15:05:32 +0000 |
181 | +++ debian/rules 2009-09-02 14:55:19 +0000 |
182 | @@ -147,6 +147,10 @@ |
183 | subst_files = \ |
184 | debian/$(DEBIAN_NAME)-gnome-support.postinst \ |
185 | debian/$(DEBIAN_NAME).postinst \ |
186 | + debian/$(DEBIAN_NAME).postrm \ |
187 | + debian/$(DEBIAN_NAME).preinst \ |
188 | + debian/usr.bin.firefox.apparmor \ |
189 | + debian/README.Debian \ |
190 | debian/firefox.sh \ |
191 | $(NULL) |
192 | |
193 | @@ -220,6 +224,7 @@ |
194 | dh_link usr/share/myspell/dicts $(DEBIAN_FF3_DIR)/dictionaries |
195 | rm -f debian/$(DEBIAN_NAME)/$(DEBIAN_FF3_DIR)/chrome/browser-branding* |
196 | dh_install debian/distribution.ini $(DEBIAN_FF3_DIR)/distribution/ |
197 | + cp debian/usr.bin.firefox.apparmor debian/$(DEBIAN_NAME)/etc/apparmor.d/usr.bin.$(DEBIAN_NAME) |
198 | |
199 | binary-install/$(DEBIAN_NAME_OTHER)-branding:: |
200 | dh_install -p$(DEBIAN_NAME_OTHER)-branding \ |
201 | |
202 | === added file 'debian/usr.bin.firefox.apparmor.in' |
203 | --- debian/usr.bin.firefox.apparmor.in 1970-01-01 00:00:00 +0000 |
204 | +++ debian/usr.bin.firefox.apparmor.in 2009-09-02 14:55:19 +0000 |
205 | @@ -0,0 +1,162 @@ |
206 | +# vim:syntax=apparmor |
207 | +# Last Modified: Tue Jun 9 07:32:13 2009 |
208 | +# Author: Jamie Strandboge <jamie@canonical.com> |
209 | + |
210 | +#include <tunables/global> |
211 | + |
212 | +/usr/lib/@APPNAME@.*/firefox { |
213 | + #include <abstractions/audio> |
214 | + #include <abstractions/base> |
215 | + #include <abstractions/cups-client> |
216 | + #include <abstractions/dbus> |
217 | + #include <abstractions/fonts> |
218 | + #include <abstractions/freedesktop.org> |
219 | + #include <abstractions/gnome> |
220 | + #include <abstractions/nameservice> |
221 | + #include <abstractions/user-tmp> |
222 | + #include <abstractions/X> |
223 | + |
224 | + # for networking |
225 | + network inet stream, |
226 | + network inet6 stream, |
227 | + @{PROC}/[0-9]*/net/if_inet6 r, |
228 | + @{PROC}/[0-9]*/net/ipv6_route r, |
229 | + |
230 | + # sounds |
231 | + /etc/sound/ r, |
232 | + /etc/sound/** r, |
233 | + /etc/wildmidi/wildmidi.cfg r, |
234 | + |
235 | + # should maybe be in abstractions |
236 | + /etc/ r, |
237 | + /etc/gnome/defaults.list r, |
238 | + /etc/mime.types r, |
239 | + /etc/mailcap r, |
240 | + /usr/bin/dbus-launch ixr, |
241 | + |
242 | + # firefox specific |
243 | + /etc/firefox-3.*/ r, |
244 | + /etc/firefox-3.*/** r, |
245 | + /etc/xulrunner-1.9*/ r, |
246 | + /etc/xulrunner-1.9*/** r, |
247 | + /etc/gre.d/ r, |
248 | + /etc/gre.d/* r, |
249 | + |
250 | + # noisy |
251 | + deny /usr/lib/firefox-3.*/** w, |
252 | + deny /usr/lib/firefox-addons/** w, |
253 | + deny /usr/lib/xulrunner-addons/** w, |
254 | + |
255 | + # These are needed when a new user starts firefox and firefox.sh is used |
256 | + /usr/lib/firefox-3.*/** ixr, |
257 | + /usr/bin/basename ixr, |
258 | + /sbin/killall5 ixr, |
259 | + /bin/which ixr, |
260 | + @{PROC}/ r, |
261 | + @{PROC}/[0-9]*/cmdline r, |
262 | + @{PROC}/[0-9]*/stat r, |
263 | + @{PROC}/[0-9]*/status r, |
264 | + @{PROC}/filesystems r, |
265 | + capability sys_ptrace, |
266 | + |
267 | + /etc/mtab r, |
268 | + @{PROC}/[0-9]*/mounts r, |
269 | + @{PROC}/[0-9]*/maps r, |
270 | + |
271 | + # allow access to documentation and other files the user may want to look |
272 | + # at in /usr |
273 | + /usr/ r, |
274 | + /usr/** r, |
275 | + |
276 | + # so browsing directories works |
277 | + / r, |
278 | + /**/ r, |
279 | + |
280 | + # allow read and write to all user's files, except explicitly denied ones |
281 | + @{HOME}/ r, |
282 | + @{HOME}/** rw, |
283 | + @{HOME}/Desktop/** rw, |
284 | + @{HOME}/Firefox_wallpaper* rw, |
285 | + |
286 | + #include <abstractions/private-files> |
287 | + audit deny @{HOME}/.ssh/** mrwkl, |
288 | + audit deny @{HOME}/.gnome2_private/** mrwkl, |
289 | + |
290 | + # comment this out if using gpg plugin/addons |
291 | + audit deny @{HOME}/.gnupg/** mrwkl, |
292 | + |
293 | + # per-user firefox configuration |
294 | + @{HOME}/.mozilla/ rw, |
295 | + @{HOME}/.mozilla/** rw, |
296 | + @{HOME}/.mozilla/**/*.sqlite k, |
297 | + @{HOME}/.mozilla/**/.parentlock k, |
298 | + |
299 | + # per-user common plugin configuration |
300 | + @{HOME}/.icedteaplugin/ rw, |
301 | + @{HOME}/.icedteaplugin/** rw, |
302 | + @{HOME}/.adobe/ rw, |
303 | + @{HOME}/.adobe/** rw, |
304 | + @{HOME}/.macromedia/ rw, |
305 | + @{HOME}/.macromedia/** rw, |
306 | + @{HOME}/.java/ rw, |
307 | + @{HOME}/.java/** rwk, |
308 | + |
309 | + # |
310 | + # Plugins/helpers |
311 | + # |
312 | + @{PROC}/[0-9]*/fd/ r, |
313 | + /usr/lib/** rm, |
314 | + /bin/bash ixr, |
315 | + /bin/dash ixr, |
316 | + /bin/grep ixr, |
317 | + /bin/ps Uxr, |
318 | + /bin/uname Uxr, |
319 | + /usr/bin/m4 ixr, |
320 | + /usr/lib/nspluginwrapper/i386/linux/npviewer Uxr, |
321 | + /var/lib/ r, |
322 | + /var/lib/** mr, |
323 | + # noisy |
324 | + deny /usr/share/mozilla/extensions/**/ w, |
325 | + deny /usr/lib/mozilla/extensions/**/ w, |
326 | + deny /usr/lib/firefox-3.*/update.test w, |
327 | + |
328 | + # for maximum plugin/helper compatibility |
329 | + #/usr/bin/* Uxr, |
330 | + #/usr/lib/*/** ixr, |
331 | + |
332 | + # |
333 | + # For stricter access, comment out the 'maximum plugin/helper compatibility' |
334 | + # lines above and uncomment these |
335 | + # |
336 | + |
337 | + # evince has its own profile, so change to it |
338 | + /usr/bin/evince PUxr, |
339 | + |
340 | + # miscellaneous |
341 | + #/usr/bin/eog Uxr, |
342 | + /usr/bin/gedit Uxr, |
343 | + /usr/bin/gimp* Uxr, |
344 | + /usr/bin/file-roller Uxr, |
345 | + /usr/bin/ooffice Uxr, |
346 | + /usr/bin/oocalc Uxr, |
347 | + /usr/bin/oodraw Uxr, |
348 | + /usr/bin/ooimpress Uxr, |
349 | + /usr/bin/oowriter Uxr, |
350 | + |
351 | + # totem |
352 | + /usr/lib/totem/** ixr, |
353 | + /usr/bin/totem-gstreamer Uxr, |
354 | + /usr/bin/totem-xine Uxr, |
355 | + /usr/bin/totem Uxr, |
356 | + |
357 | + # mozplugger |
358 | + /etc/mozpluggerrc r, |
359 | + /usr/bin/mozplugger-helper Uxr, |
360 | + /usr/bin/mplayer Uxr, |
361 | + |
362 | + # java |
363 | + /usr/lib/jvm/java-6-openjdk/jre/bin/java Uxr, |
364 | + /etc/java-*-sun/** r, |
365 | + /usr/lib/jvm/java-*-sun-1.*/jre/bin/java Uxr, |
366 | + |
367 | +} |
seems you forgot to add the profile itself? While at it, consider to use same changelog format as we usually do.