** Description changed:
SDK applications need the following AppArmor policy to run:
- /dev/binder rw,
+ /dev/binder rw,
The writes to /dev/binder allow applications to attack binder directly
which weakens our application confinement policy.
+
+ Update 2013-08-08:
+ All apps currently need this access because of surface flinger. The following
are the binder services that Ubuntu currently uses:
+ - surface flinger
+ - audio flinger
+ - media service
+ - camera
+ - sensors
+
+ location was in this group but is already moved away. vibrate is not
+ implemented but when it is it will only use our API (ie, not binder). Of
+ the 5 remaining binder services listed above, surface flinger, audio
+ flinger and the media service are being moved to HAL (ie, don't use
+ binder but use the device directly via the generalized HAL API). Camera
+ should move to HAL in 14.04, and sensors may in 14.04 or later.
+
+ Therefore, when surface flinger is no longer used, we can remove
+ /dev/binder from the ubuntu-sdk apparmor template, and move it into the
+ various policy groups. As we move to HAL in the various services, we'll
+ update those policy groups to remove /dev/binder as well.
** Changed in: apparmor-easyprof-ubuntu (Ubuntu)
Status: New => Triaged
** Also affects: apparmor-easyprof-ubuntu (Ubuntu Saucy)
Importance: Undecided
Status: Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1197134
Title:
SDK applications require access to /dev/binder
To manage notifications about this bug go to:
https://bugs.launchpad.net/touch-preview-images/+bug/1197134/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
