AppArmor

Merge lp://staging/~sdeziel/apparmor/wireshark-refresh into lp://staging/apparmor/2.12

  1. wireshark-refresh
  2. Merge into master
Proposed by Simon Déziel
Status: Merged
Merged at revision: 3728
Proposed branch: lp://staging/~sdeziel/apparmor/wireshark-refresh
Merge into: lp://staging/apparmor/2.12
Diff against target: 76 lines (+43/-6)
1 file modified
profiles/apparmor/profiles/extras/usr.bin.wireshark (+43/-6)
To merge this branch: bzr merge lp://staging/~sdeziel/apparmor/wireshark-refresh
Reviewer Review Type Date Requested Status
Steve Beattie Approve
Review via email: mp+291820@code.staging.launchpad.net

Description of the change

This refreshed profile was tested with Wireshark 2.0.2 (from Xenial). I only tested reading from pcaps. No capture testing was done because I feel this is best done with tcpdump that is well protected by Apparmor anyways.

To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

It feels like the accessibility dbus rules may be better suited in an #include. What else will require these?

Otherwise looks good to me.

Thanks

Revision history for this message
Simon Déziel (sdeziel) wrote :

On 2016-04-13 05:50 PM, Seth Arnold wrote:
> It feels like the accessibility dbus rules may be better suited in an #include.

Or maybe abstractions/dbus-accessibility-strict is just too strict?

> What else will require these?

I copied it from Firefox. Locally I have the following profiles using
the "a11y" rules:

 usr.bin.firefox
 usr.bin.keepassx
 usr.bin.pidgin
 usr.bin.remmina
 usr.bin.vlc
 usr.bin.wireshark

Revision history for this message
Tyler Hicks (tyhicks) wrote :

On 2016-04-14 14:03:27, Simon Déziel wrote:
> On 2016-04-13 05:50 PM, Seth Arnold wrote:
> > It feels like the accessibility dbus rules may be better suited in an #include.
>
> Or maybe abstractions/dbus-accessibility-strict is just too strict?

dbus-accessibility-strict is for talking to dbus-daemon itself on the
accessibility bus.

dbus-accessibility is for doing any action on the accessibility bus.

Note that the rules you have are for talking to a service on the session
bus. I'm thinking that there should be an "accessibility-services" (or
maybe just "accessibility") abstraction which has the a11y rules and
also includes dbus-accessibility-strict?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

@Tyler, this makes sense to me. The accessibility rules are not well defined at all and could use a lot of love.

Revision history for this message
intrigeri (intrigeri) wrote :

Seth, Jamie, Tyler: thanks for the reviews and the forward looking thinking. It's not clear to me what's a blocker or not. Are you blocking on a big refactoring of the accessibility rules before this MR gets merged? I'm not sure it would be fair to expect Simon to do this work right now :) How about we track the refactoring proposal on a new bug and not block on it here?

Revision history for this message
Steve Beattie (sbeattie) wrote :

intrigeri: I agree, we should probably not block this merge request on an accessibility abstraction cleanup. I have filed https://bugs.launchpad.net/apparmor/+bug/1727887 to capture that request.

Otherwise, LGTM. I'll merge it in.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
The diff is not available at this time. You can reload the page or download it.

Subscribers

People subscribed via source and target branches