Ubuntu
apparmor-easyprof-ubuntu package

[UDM] Add support for the ubuntu-download-manager in the ubuntu-sdk profile

Bug #1277578 reported by Manuel de la Peña
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor-easyprof-ubuntu (Ubuntu)
Fix Released
Undecided
Jamie Strandboge

Bug Description

The ubuntu download manager exposes the following methods and interfaces that will would like to manage with apparmor:

    Service Path: com.canonical.applications.Downloader
    Interface: com.canonical.applications.DownloadManager
    Object path: /

    The following methods should be allowed to click/confined applications:

        createDownload
        createDownloadGroup
        getAllDownlads
        getAllDownloadsWithMetadata
        defaultThrottle
        isGSMDownloadAllowed

    The following methods should NOT be allowed to click/confined applications:

        allowGSMDownload
        createMmsDownload
        exit
        setDefaultThrottle

All the click/confined applications should ONLY be allowed to use the root path (/) and all the methods in the object paths that follow the pattern /{APPID}/{DOWNLOAD_PATH} where the APPID is calculated using nih_dbus_path of the application id and DOWNLOAD_PATH can be any string or subpath.

Jamie Strandboge (jdstrand)
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: New → Triaged
assignee: nobody → Jamie Strandboge (jdstrand)
Jamie Strandboge (jdstrand)
Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor-easyprof-ubuntu - 1.1.4

---------------
apparmor-easyprof-ubuntu (1.1.4) trusty; urgency=medium

  * 1.*/ubuntu-sdk: adjust for ubuntu-html5-app-launcher (LP: #1274640)
    - allow reexec for /usr/bin/ubuntu-html5-app-launcher to handle HTML5 apps
      launched via upstart-app-launch
    - allow read access to /usr/share/ubuntu-html5-app-launcher/**
  * 1.*/accounts:
    - allow read on @{HOME}/.local/share/accounts/** to dereference click
      symlinks for online accounts providers (LP: #1278859)
    - add comment about usage of com.nokia.singlesignonui.cookiesForIdentity
  * 1.*/networking: finetune DownloadManager DBus access (LP: #1277578)
    - explicitly allow safe and explicitly disallow unsafe DownloadManager
      APIs
    - restrict apps to their own downloads
  * 1.*/ubuntu-webapp: allow the webapps access to SignonUi API for retrieving
    web cookies for an account (com.nokia.singlesignonui.cookiesForIdentity).
    This is being added to the ubuntu-webapp template instead of the accounts
    policy group because this API should only be available to the webapp
    container and is not needed to use online accounts in general
    (LP: #1278934)
 -- Jamie Strandboge <email address hidden> Wed, 12 Feb 2014 09:20:58 -0600

Changed in apparmor-easyprof-ubuntu (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.