Ubuntu
mediascanner2 package

please provide apparmor profile for media scanner service

Bug #1319065 reported by Jamie Strandboge
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mediascanner2 (Ubuntu)
Fix Released
High
Jamie Strandboge

Bug Description

Summary says it all. The media scanner service is processing untrusted input and should run confined.

Related branches

lp:~jdstrand/mediascanner2/apparmor-profile
Jussi Pakkanen (community): Approve
PS Jenkins bot (community): Approve (continuous-integration)
Diff: 121 lines (+77/-1)
5 files modified
debian/control (+2/-1)
debian/mediascanner2.0.dirs (+1/-0)
debian/mediascanner2.0.install (+1/-0)
debian/rules (+4/-0)
debian/usr.bin.mediascanner-service-2.0 (+69/-0)
lp:ubuntu/utopic-proposed/mediascanner2
Jamie Strandboge (jdstrand)
Changed in mediascanner2 (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → High
status: New → Triaged
Revision history for this message
Jussi Pakkanen (jpakkane) wrote :

Needs read access to:

~/Music
~/Videos
/media/username (or wherever mounted drives go)

Needs write access to:

~/.cache/mediascanner-2.0

Jamie Strandboge (jdstrand)
tags: added: application-confinement
Revision history for this message
Jussi Pakkanen (jpakkane) wrote :

We have worked on the dbus service daemon and it is approaching being ready. This is a new daemon that requires a different set of capabilities, namely:

- read access to ~/.cache/mediascanner-2.0
- must be able to own the dbus service name
- must be able to verify incoming media queries from trust store

Revision history for this message
Jussi Pakkanen (jpakkane) wrote :

The scanner service has an additional requirement. It also needs to be able to set inotify watches on the directories it has read access to.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Here is a debdiff to add an apparmor profile for /usr/bin/mediascanner-service-2.0. The profile has been tested on latest promoted image with mako and lightly tested on utopic desktop and works with no denials.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Changed in mediascanner2 (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

FYI, I'm happy to upload this directly to the archive if you say it is ok.

Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mediascanner2 - 0.101+14.10.20140625-0ubuntu1

---------------
mediascanner2 (0.101+14.10.20140625-0ubuntu1) utopic; urgency=low

  [ Ubuntu daily release ]
  * debian/*symbols: auto-update new symbols to released version

  [ James Henstridge ]
  * Enable the QML plugin to pick between two MediaStore backends: the
    direct disk backend and the D-Bus interface. The choice is made via
    the MEDIASCANNER_USE_DBUS environment variable, and defaults to
    direct access.

  [ Jamie Strandboge ]
  * * add AppArmor profile (LP: #1319065) - add
    debian/usr.bin.mediascanner-service-2.0 - debian/control: Build-
    Depends on dh-apparmor - debian/rules: update override_dh_installdeb
    to use dh_apparmor - debian/mediascanner2.0.dirs: add etc/apparmor.d
    - debian/mediascanner2.0.install: install profile in to place (LP:
    #1319065)

  [ CI bot ]
  * * add AppArmor profile (LP: #1319065) - add
    debian/usr.bin.mediascanner-service-2.0 - debian/control: Build-
    Depends on dh-apparmor - debian/rules: update override_dh_installdeb
    to use dh_apparmor - debian/mediascanner2.0.dirs: add etc/apparmor.d
    - debian/mediascanner2.0.install: install profile in to place (LP:
    #1319065)
 -- Ubuntu daily release <email address hidden> Wed, 25 Jun 2014 16:28:53 +0000

Changed in mediascanner2 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.