Okay, we've been experimenting with this in the thumbnailer, and will look to roll it out in the next landing. The first branch adds code that calls GetConnectionCredentials() to determine the peer's AppArmor label, while the second one adds aa_query_label based security checks based on the label. We were already canonicalising the path name with boost::filesystem::canonical(), so should be safe for the symlink issue.
I managed to get the format of the query message wrong when integrating the code first time, so I've attached a version of the query_file() method using std::string to build the message, which is a bit easier to understand. ** Attachment added: "query_file2.cpp" https://bugs.launchpad.net/thumbnailer/+bug/1381713/+attachment/4416149/+files/query_file2.cpp ** Changed in: thumbnailer Status: New => In Progress ** Changed in: thumbnailer Assignee: (unassigned) => James Henstridge (jamesh) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1381713 Title: Support policy query interface for file Status in AppArmor Linux application security framework: Triaged Status in Media Hub: New Status in Media Scanner v2: New Status in Thumbnail generator for all kinds of files: In Progress Status in apparmor package in Ubuntu: Fix Released Bug description: This bug tracks the work needed to support querying if a label can access a file. This is particularly useful with trusted helpers where an application requests access to a file and the trusted helper does something with it. For example, on Ubuntu when an app wants to play a music file, it (eventually) goes through the media-hub service. The media-hub service should be able to query if the app's policy has access to the file. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1381713/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
