AppArmor Profiles

Merge lp://qastaging/~sdeziel/apparmor-profiles/refresh-pulseaudio into lp://qastaging/apparmor-profiles

refresh-pulseaudio
Merge into master

Proposed by Simon Déziel on 2016-01-07

Status:	Merged
Approved by:	Seth Arnold on 2016-01-07
Approved revision:	160
Merged at revision:	155
Proposed branch:	lp://qastaging/~sdeziel/apparmor-profiles/refresh-pulseaudio
Merge into:	lp://qastaging/apparmor-profiles
Diff against target:	113 lines (+36/-24) 1 file modified ubuntu/16.04/usr.bin.pulseaudio (+36/-24)
To merge this branch:	bzr merge lp://qastaging/~sdeziel/apparmor-profiles/refresh-pulseaudio
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Seth Arnold		2016-01-07	Approve on 2016-01-07
Review via email: mp+281910@code.qastaging.launchpad.net

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2016-01-07:

On Thu, Jan 07, 2016 at 06:21:23PM -0000, Simon Déziel wrote:
> - /run/pulse/ rw,
> - /run/pulse/.pulse-cookie rwk,
> - /run/pulse/dbus-socket rwk,
> - /run/pulse/native rwk,
> - /run/pulse/pid rwk,
> + owner /run/pulse/ rw,
> + owner /run/pulse/.pulse-cookie rwk,
> + owner /run/pulse/dbus-socket rwk,
> + owner /run/pulse/native rwk,
> + owner /run/pulse/pid rwk,
> + owner /run/user/[0-9]*/pulse/ rw,
> + owner /run/user/[0-9]*/pulse/* rwk,
> /run/udev/data/+sound:card* r,
> + /run/udev/data/c116:[0-9]* r,
>

How does 'owner /run/pulse/' work? Are these paths bind-mounted from
per-user paths? Or are these paths when pulse is used as root in some
environments?

>
> owner /var/lib/lightdm/.Xauthority r,
> owner /var/lib/lightdm/.esd_auth rwk,
> - owner /var/lib/lightdm/.pulse-cookie rwk,
> - owner /var/lib/lightdm/.pulse/ rw,
> - owner /var/lib/lightdm/.pulse/* w,
> - owner /var/lib/lightdm/.pulse/* r,
> + owner /var/lib/lightdm/.config/pulse/cookie rwk,
> + owner /var/lib/lightdm/.config/pulse/ rw,
> + owner /var/lib/lightdm/.config/pulse/* rw,

Removing accesses like this may cause problems if the AppArmor profile is
replaced before any executing binaries that use the old pathnames. Are
these old path names unused for long enough that no executing binaries
currently use them?

Thanks

Revision history for this message

Simon Déziel (sdeziel) wrote on 2016-01-07:

On 2016-01-07 02:30 PM, Seth Arnold wrote:
> On Thu, Jan 07, 2016 at 06:21:23PM -0000, Simon Déziel wrote:
>> - /run/pulse/ rw,
>> - /run/pulse/.pulse-cookie rwk,
>> - /run/pulse/dbus-socket rwk,
>> - /run/pulse/native rwk,
>> - /run/pulse/pid rwk,
>> + owner /run/pulse/ rw,
>> + owner /run/pulse/.pulse-cookie rwk,
>> + owner /run/pulse/dbus-socket rwk,
>> + owner /run/pulse/native rwk,
>> + owner /run/pulse/pid rwk,
>> + owner /run/user/[0-9]*/pulse/ rw,
>> + owner /run/user/[0-9]*/pulse/* rwk,
>> /run/udev/data/+sound:card* r,
>> + /run/udev/data/c116:[0-9]* r,
>>
>
> How does 'owner /run/pulse/' work? Are these paths bind-mounted from
> per-user paths? Or are these paths when pulse is used as root in some
> environments?

It's in case pulse is used as root, I believe. I know this path doesn't
exist on my Xenial desktop.

>>
>> owner /var/lib/lightdm/.Xauthority r,
>> owner /var/lib/lightdm/.esd_auth rwk,
>> - owner /var/lib/lightdm/.pulse-cookie rwk,
>> - owner /var/lib/lightdm/.pulse/ rw,
>> - owner /var/lib/lightdm/.pulse/* w,
>> - owner /var/lib/lightdm/.pulse/* r,
>> + owner /var/lib/lightdm/.config/pulse/cookie rwk,
>> + owner /var/lib/lightdm/.config/pulse/ rw,
>> + owner /var/lib/lightdm/.config/pulse/* rw,
>
> Removing accesses like this may cause problems if the AppArmor profile is
> replaced before any executing binaries that use the old pathnames. Are
> these old path names unused for long enough that no executing binaries
> currently use them?