After discussion with Jamie, I think we merely want to restrict ofono usage to a particular set of system processes.
AppArmor is not capable of restricting individual properties, and unfortunately "Online" is a property of the top-level org.ofono.Modem interface which we really can't restrict to just urfkill. Our current plan of record is that we will provide basic unrestrictive AppArmor profiles to the following system/session processes: - NetworkManager - telepathy-ofono ( or related telepathy process/component ) - urfkill - indicator-network - nuntium ( MMS daemon ) - powerd -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to network-manager in Ubuntu. https://bugs.launchpad.net/bugs/1296415 Title: [security] please use apparmor to restrict access to ofono to approved services Status in “indicator-network” package in Ubuntu: New Status in “network-manager” package in Ubuntu: New Status in “nuntium” package in Ubuntu: New Status in “ofono” package in Ubuntu: Confirmed Status in “powerd” package in Ubuntu: New Status in “urfkill” package in Ubuntu: New Bug description: We should try to find ways to restrict certain properties and interfaces to well known callers, for example Modem 'Online' should be settable by urfkill only. We don't want to allow other processes to set these properties. This would also help to identify if some unintended process is trying to set such properties by accident. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/indicator-network/+bug/1296415/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
