https://developer.ubuntu.com/en/start/platform/guides/online-accounts-
developer-guide/ and
https://developer.ubuntu.com/en/start/platform/guides/app-confinement/
probably need an update now.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
** Changed in: developer-ubuntu-com
Importance: Undecided = High
** Changed in: developer-ubuntu-com
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1219644
Title:
** Also affects: developer-ubuntu-com
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1219644
Title:
Account plugins should be made confinable by apparmor
** Changed in: click-reviewers-tools
Status: Confirmed = In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1219644
Title:
Account plugins should be made confinable by apparmor
To
These latest issues are now being tracked in bug #1468792.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1219644
Title:
Account plugins should be made confinable by apparmor
To manage
** Changed in: click-reviewers-tools
Status: In Progress = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1219644
Title:
Account plugins should be made confinable by apparmor
To
* the account plugin is trying to create /home/phablet/.cache/online-
accounts-ui/ -- this should be created on the account plugin's behalf
Indeed, I'll make sure that this is created before the plugin is
executed.
This is still not fixed:
Jun 24 17:02:55 ubuntu-phablet kernel: [44001.684473]
Also, why is it trying to create /home/phablet/.cache/QML/Apps/online-
accounts-ui/? We agreed it should be using @{HOME}/.cache/online-
accounts-ui/ which is what the apparmor policy allows (ie, QML/Apps is
inserted in the path and this isn't allowed by the profile).
--
You received this bug
Also, if I allow this access in the profile, then the next denial is:
Jun 24 17:12:00 ubuntu-phablet kernel: [44546.645041] type=1400
audit(1435183920.324:495): apparmor=DENIED operation=mknod
profile=com.ubuntu.developer.rmescandon.asana_account-plugin_1.0.0
** Changed in: ubuntu-system-settings-online-accounts
Status: Confirmed = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1219644
Title:
Account plugins should be made confinable
This bug was fixed in the package ubuntu-system-settings-online-accounts
- 0.6+15.04.20150319-0ubuntu1
---
ubuntu-system-settings-online-accounts (0.6+15.04.20150319-0ubuntu1) vivid;
urgency=medium
[ Alberto Mardegan ]
* Merge from upstream
- Add account data as search
On 02/03/2015 11:28 PM, Jamie Strandboge wrote:
I started playing with this and have a few observations:
* the account plugin is trying to access /proc/pid/attr/current - should
this be explicitly denied to silence the denial?
No, I think that this happens because the account plugin code is
Reopening for ubuntu-system-settings-online-accounts, since we have
still some work to do.
** Changed in: ubuntu-system-settings-online-accounts
Status: Fix Released = Confirmed
** Changed in: ubuntu-system-settings-online-accounts (Ubuntu)
Status: Fix Released = Confirmed
--
You
Regarding the /tmp access-- I'm guessing that TMPDIR is not being set by
the process launching the confined plugin. It can be set to one of the
writable directories in the 1.3.4 policy; I suggest /run/user/$USER
/online-accounts-ui/@{APP_PKGNAME}_@{APP_APPNAME}/ since it is in /run
and will be
** Branch linked: lp:~mardy/ubuntu-system-settings-online-
accounts/lp1219644-cont
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1219644
Title:
Account plugins should be made confinable by apparmor
** Branch linked: lp:ubuntu/vivid-proposed/apparmor-easyprof-ubuntu
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1219644
Title:
Account plugins should be made confinable by apparmor
To manage
This bug was fixed in the package apparmor-easyprof-ubuntu - 1.3.4
---
apparmor-easyprof-ubuntu (1.3.4) vivid; urgency=medium
[ Alberto Mardegan ]
* ubuntu/accounts: explictly deny access to the p2p socket. This will now be
available only to unconfined apps to support a
I started playing with this and have a few observations:
* the account plugin is trying to access /proc/pid/attr/current - should this
be explicitly denied to silence the denial?
* the account plugin is trying to create
/home/phablet/.cache/online-accounts-ui/ -- this should be created on the
Using this for the evernote-account-plugin.apparmor:
{
template: ubuntu-account-plugin,
policy_groups: [
accounts,
audio,
networking,
webview
],
policy_version: 1.2
}
with apparmor-easyprof-ubuntu 1.3.4 (pending upload), I can successfully create
Also, something isn't honoring and/or setting TMPDIR, since I'm seeing denials
like this:
Feb 3 21:32:09 ubuntu-phablet kernel: [ 5292.570730] type=1400
audit(1422999129.043:411): apparmor=DENIED operation=mknod
profile=com.ubuntu.reminders_evernote-account-plugin_0.5.latest
Jamie, I've been using this:
http://mardy.it/archivos/com.ubuntu.reminders_0.5.latest_armhf.click
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1219644
Title:
Account plugins should be made
The approach to take is to create an 'ubuntu-account-plugin' template.
Mardy, do you have an example click I could use to test exactly what is
needed?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: ubuntu-system-settings-online-accounts
Status: In Progress = Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1219644
Title:
Account plugins should be made
** Branch unlinked: lp:~online-accounts/ubuntu-system-settings-online-
accounts/master
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1219644
Title:
Account plugins should be made confinable by
** Branch linked: lp:ubuntu/vivid-proposed/ubuntu-system-settings-
online-accounts
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1219644
Title:
Account plugins should be made confinable by apparmor
This bug was fixed in the package ubuntu-system-settings-online-accounts
- 0.6+15.04.20150116-0ubuntu1
---
ubuntu-system-settings-online-accounts (0.6+15.04.20150116-0ubuntu1) vivid;
urgency=medium
[ Alberto Mardegan ]
* New upstream release
- Make sure app items are not
** Branch linked: lp:~mardy/ubuntu-system-settings-online-accounts
/click-plugins
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1219644
Title:
Account plugins should be made confinable by apparmor
** Branch linked: lp:~online-accounts/ubuntu-system-settings-online-
accounts/master
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1219644
Title:
Account plugins should be made confinable by
Latest version:
owner
/{,var/}run/user/*/online-accounts-ui/ui-*-@{APP_PKGNAME}_@{APP_APPNAME} rw,
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/**
mrwkl,
dbus (send)
I can create an evernote account with these rules:
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/
rw,
owner @{HOME}/.cache/online-accounts-ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/**
mrwkl,
dbus (send)
bus=session
I'll update the bug with comments as I find new apparmor rules being required.
So, this is also required:
owner @{HOME}/.cache/online-accounts-
ui/id-*-@{APP_PKGNAME}_@{APP_APPNAME}/ rw,
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
** Also affects: apparmor-easyprof-ubuntu (Ubuntu)
Importance: Undecided
Status: New
** Changed in: ubuntu-system-settings-online-accounts
Status: Confirmed = In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
The attached branch is a WIP with the changes on the Online Accounts
part.
I added the apparmor-easyprof-ubuntu project to the bug because I think
we'll need some changes there:
- There should be a way to specify an apparmor policy file for an
account plugin, in the manifest file. This policy
** Also affects: click-reviewers-tools
Importance: Undecided
Status: New
** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
Assignee: (unassigned) = Jamie Strandboge (jdstrand)
** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
Importance: Undecided = Medium
** Changed in:
34 matches
Mail list logo