[Bug 1549369] Re: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device.
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: click (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1549369 Title: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device. To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-developer-experience/+bug/1549369/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1549369] Re: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device.
** Changed in: canonical-developer-experience Importance: Undecided => Medium ** Changed in: canonical-developer-experience Status: New => Confirmed ** Changed in: canonical-developer-experience Assignee: (unassigned) => Alejandro J. Cura (alecu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1549369 Title: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device. To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-developer-experience/+bug/1549369/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1549369] Re: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device.
I'm not familiar with the click codebase, but I wanted to explicitly state that when updating the symlink, be sure that you only update the symlink for the package that is being installed and not all symlinks for other installed packages. Otherwise all the symlinks's mtimes will be updated and all policy will be recompiled when an app is installed. ** Changed in: click-apparmor (Ubuntu) Status: Incomplete => Won't Fix ** Changed in: click-apparmor (Ubuntu) Assignee: Pat McGowan (pat-mcgowan) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1549369 Title: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device. To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-developer-experience/+bug/1549369/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1549369] Re: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device.
Lets go with the click fix ** Also affects: click (Ubuntu) Importance: Undecided Status: New ** Changed in: canonical-devices-system-image Importance: Undecided => Medium ** Changed in: canonical-devices-system-image Status: Incomplete => Confirmed ** Changed in: canonical-devices-system-image Milestone: None => backlog ** Changed in: canonical-devices-system-image Assignee: (unassigned) => Alejandro J. Cura (alecu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1549369 Title: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device. To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-developer-experience/+bug/1549369/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1549369] Re: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device.
Actually, in examining this more closely, adjusting click-apparmor in this manner will trigger a full policy recompile on first boot after upgrade. Pat, please let me know if this is acceptable. If not, click could be adjusted as I suggested and this would not trigger a policy recompile. ** Changed in: canonical-devices-system-image Status: Confirmed => Incomplete ** Changed in: canonical-devices-system-image Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: click-apparmor (Ubuntu) Status: Confirmed => Incomplete ** Changed in: click-apparmor (Ubuntu) Assignee: (unassigned) => Pat McGowan (pat-mcgowan) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1549369 Title: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device. To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-developer-experience/+bug/1549369/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1549369] Re: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device.
AIUI this is not a bug in click-apparmor but click itself. While the hook is being run, click isn't updating the timestamps on the click hook symlink. Ie: Install the old click: $ cd old $ sudo click install --force-missing-framework --user=$USER ./*0.7_all.click --allow-unauthenticated ... $ stat /var/lib/apparmor/clicks/*_0.7.json ... Access: (0777/lrwxrwxrwx) Uid: (0/root) Gid: (0/root) Access: 2016-03-08 16:31:16.352376489 -0600 Modify: 2016-03-08 16:31:16.288376439 -0600 Change: 2016-03-08 16:31:16.288376439 -0600 ... $ cat /var/lib/apparmor/clicks/*_0.7.json { "template": "ubuntu-webapp", "policy_groups": [ "audio", "location", "networking", "video" ], "policy_version": 1.0 } Install a click with an updated security manifest but same version: $ cd ../new $ sudo click install --force-missing-framework --user=$USER ./*0.7_all.click --allow-unauthenticated ... $ stat /var/lib/apparmor/clicks/*_0.7.json ... Access: (0777/lrwxrwxrwx) Uid: (0/root) Gid: (0/root) Access: 2016-03-08 16:31:16.352376489 -0600 Modify: 2016-03-08 16:31:16.288376439 -0600 Change: 2016-03-08 16:31:16.288376439 -0600 ... $ cat /var/lib/apparmor/clicks/*_0.7.json { "template": "ubuntu-webapp", "policy_groups": [ "audio", "location", "networking", "video", "camera" ], "policy_version": 1.0 } Notice that will the contents of the security manifest is updated, the mtime of the symlink was not. click-apparmor currently requires that the mtime be updated. This is due to install_link() in lib/click/hooks.vala: if (is_symlink (link) && FileUtils.read_link (link) == target) return; One way to achieve this would be to recreate the symlink on install if the symlink exists. Alternatively, click-apparmor could also consider the ctime of the target file compared to the symlink's mtime. While it seems like a fix in click is the right choice, I believe only click- apparmor cares about these sorts of things, and a change there would be localized to only click-apparmor and therefore less risky. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1549369 Title: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device. To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-developer-experience/+bug/1549369/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1549369] Re: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device.
** Changed in: canonical-devices-system-image Status: New => Confirmed ** Changed in: canonical-devices-system-image Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1549369 Title: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device. To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-developer-experience/+bug/1549369/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1549369] Re: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device.
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: click-apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1549369 Title: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device. To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-developer-experience/+bug/1549369/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs