We're in the process of trying to land these changes for thumbnailer, and have been noticing problems with the music-app: we are getting denials from aa_query_label for files under ~/Music. For example:
$ ./query_file com.ubuntu.music_music_2.1.867 /home/phablet/Music/10-amarillo.mp3 read '/home/phablet/Music/10-amarillo.mp3' denied However, the profile seems to be able to read files in that location anyway: $ aa-exec -p com.ubuntu.music_music_2.1.867 cat /home/phablet/Music/10-amarillo.mp3 >/dev/null It seems the aa_query_label checks are working for ~/.local/share/$PACKAGE directories though, so it is working at some level: $ ./query_file com.ubuntu.music_music_2.1.867 /home/phablet/.local/share/com.ubuntu.music/foo read '/home/phablet/.local/share/com.ubuntu.music/foo' allowed $ ./query_file com.ubuntu.music_music_2.1.867 /home/phablet/.local/share/com.ubuntu.gallery/foo read '/home/phablet/.local/share/com.ubuntu.gallery/foo' denied Is there something special about the way ~/Music access is enabled in the policy? I've been trying this out with devel-proposed (wily) image 233 on a Nexus 4 if that matters. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1381713 Title: Support policy query interface for file Status in AppArmor Linux application security framework: Triaged Status in Media Hub: New Status in Media Scanner v2: New Status in Thumbnail generator for all kinds of files: Fix Committed Status in apparmor package in Ubuntu: Fix Released Bug description: This bug tracks the work needed to support querying if a label can access a file. This is particularly useful with trusted helpers where an application requests access to a file and the trusted helper does something with it. For example, on Ubuntu when an app wants to play a music file, it (eventually) goes through the media-hub service. The media-hub service should be able to query if the app's policy has access to the file. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1381713/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp