Commit cc28474b authored by bertagaz's avatar bertagaz
Browse files

Merge remote-tracking branch 'origin/stable' into devel

parents e6999749 9c347ed4
--- a/etc/apparmor.d/usr.bin.totem 2014-09-16 11:17:44.000000000 +0000
+++ b/etc/apparmor.d/usr.bin.totem 2014-11-28 09:40:26.960000000 +0000
@@ -9,6 +9,9 @@
diff -Naur etc/apparmor.d.orig/abstractions/totem etc/apparmor.d/abstractions/totem
--- a/etc/apparmor.d/abstractions/totem 2014-08-28 15:51:48.000000000 +0000
+++ b/etc/apparmor.d/abstractions/totem 2016-11-05 14:58:38.676759826 +0000
@@ -30,6 +30,10 @@
/usr/lib/@{multiarch}/gstreamer[0-9].[0-9]/gstreamer-[0-9].[0-9]/gst-plugin-scanner Cix -> gst_plugin_scanner,
+ owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
+ owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw,
owner @{HOME}/.cache/tracker/meta.db k,
owner @{HOME}/.cache/tracker/meta.db-shm k,
+ owner @{HOME}/.config/totem/** rwk,
owner @{HOME}/.local/share/grilo-plugins/*.db k,
+ owner @{HOME}/.local/share/gvfs-metadata/** r,
diff -Naur etc/apparmor.d.orig/usr.bin.totem etc/apparmor.d/usr.bin.totem
--- a/etc/apparmor.d/usr.bin.totem 2015-11-14 13:39:59.000000000 +0000
+++ b/etc/apparmor.d/usr.bin.totem 2016-11-05 14:57:21.817646742 +0000
@@ -9,16 +9,20 @@
#include <abstractions/python>
#include <abstractions/totem>
......@@ -10,3 +25,33 @@
# Maybe in an abstraction?
/usr/include/**/pyconfig.h r,
/usr/bin/totem r,
/dev/sr* r,
- # Allow read and write on anything in @{HOME}. Lenient, but
+ # Allow read and write on almost anything in @{HOME}. Lenient, but
# private-files-strict is in effect.
#include <abstractions/private-files-strict>
- owner @{HOME}/** rw,
+ owner @{HOME}/[a-zA-Z0-9]* rw,
+ owner @{HOME}/[a-zA-Z0-9]*/** rw,
owner /{,var/}run/user/*/dconf/user w,
owner /{,var/}run/user/*/at-spi2-*/ rw,
diff -Naur etc/apparmor.d.orig/usr.bin.totem-previewers etc/apparmor.d/usr.bin.totem-previewers
--- a/etc/apparmor.d/usr.bin.totem-previewers 2014-10-14 23:22:57.000000000 +0000
+++ b/etc/apparmor.d/usr.bin.totem-previewers 2016-11-05 14:57:21.817646742 +0000
@@ -6,10 +6,11 @@
/usr/bin/totem-video-thumbnailer {
#include <abstractions/totem>
- # Allow read on anything in @{HOME}. Lenient, but private-files-strict is in
+ # Allow read on almost anything in @{HOME}. Lenient, but private-files-strict is in
# effect.
#include <abstractions/private-files-strict>
- owner @{HOME}/** r,
+ owner @{HOME}/[a-zA-Z0-9]* rw,
+ owner @{HOME}/[a-zA-Z0-9]*/** rw,
# Not needed by nautilus, but maybe other applications
owner /**.[pP][nN][gG] w,
......@@ -39,6 +39,12 @@ Feature: Using Totem
# Due to our AppArmor aliases, /live/overlay will be treated
# as /lib/live/mount/overlay.
And AppArmor has denied "/usr/bin/totem" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/video.mp4"
Given I close Totem
And I copy "/home/amnesia/video.mp4" to "/home/amnesia/.purple/otr.private_key" as user "amnesia"
And I restart monitoring the AppArmor log of "/usr/bin/totem"
When I try to open "/home/amnesia/.purple/otr.private_key" with Totem
Then I see "TotemUnableToOpen.png" after at most 10 seconds
And AppArmor has denied "/usr/bin/totem" from opening "/home/amnesia/.purple/otr.private_key"
@check_tor_leaks @fragile
Scenario: Watching a WebM video over HTTPS
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment