[Touch-packages] [Bug 1549369] Re: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device.
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: click (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to click-apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1549369 Title: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device. Status in Client Developer Experience: Confirmed Status in Canonical System Image: Confirmed Status in click package in Ubuntu: Confirmed Status in click-apparmor package in Ubuntu: Won't Fix Bug description: On Krillin, as of rc-proposed r264, modifying the application apparmor manifest and then deploying the application to the device *without* increasing the app version will not trigger the apparmor profile update. As a consequence, the developer is left confused because the app is still complaining about apparmor denials even after he modified the apparmo manifest and deployed the new .click package. Deploying changes to an application without updating its version number is a quite common practice, especially while in development phase. That is why I believe we should fix this bug as soon as possible, to make life of developers easier. Reference of a similar bug, which was however more Snappy specific: https://bugs.launchpad.net/ubuntu/+source/click-apparmor/+bug/1422744 To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-developer-experience/+bug/1549369/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1549369] Re: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device.
** Changed in: canonical-developer-experience Importance: Undecided => Medium ** Changed in: canonical-developer-experience Status: New => Confirmed ** Changed in: canonical-developer-experience Assignee: (unassigned) => Alejandro J. Cura (alecu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to click-apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1549369 Title: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device. Status in Client Developer Experience: Confirmed Status in Canonical System Image: Confirmed Status in click package in Ubuntu: New Status in click-apparmor package in Ubuntu: Won't Fix Bug description: On Krillin, as of rc-proposed r264, modifying the application apparmor manifest and then deploying the application to the device *without* increasing the app version will not trigger the apparmor profile update. As a consequence, the developer is left confused because the app is still complaining about apparmor denials even after he modified the apparmo manifest and deployed the new .click package. Deploying changes to an application without updating its version number is a quite common practice, especially while in development phase. That is why I believe we should fix this bug as soon as possible, to make life of developers easier. Reference of a similar bug, which was however more Snappy specific: https://bugs.launchpad.net/ubuntu/+source/click-apparmor/+bug/1422744 To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-developer-experience/+bug/1549369/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1549369] Re: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device.
I'm not familiar with the click codebase, but I wanted to explicitly state that when updating the symlink, be sure that you only update the symlink for the package that is being installed and not all symlinks for other installed packages. Otherwise all the symlinks's mtimes will be updated and all policy will be recompiled when an app is installed. ** Changed in: click-apparmor (Ubuntu) Status: Incomplete => Won't Fix ** Changed in: click-apparmor (Ubuntu) Assignee: Pat McGowan (pat-mcgowan) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to click-apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1549369 Title: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device. Status in Client Developer Experience: New Status in Canonical System Image: Confirmed Status in click package in Ubuntu: New Status in click-apparmor package in Ubuntu: Won't Fix Bug description: On Krillin, as of rc-proposed r264, modifying the application apparmor manifest and then deploying the application to the device *without* increasing the app version will not trigger the apparmor profile update. As a consequence, the developer is left confused because the app is still complaining about apparmor denials even after he modified the apparmo manifest and deployed the new .click package. Deploying changes to an application without updating its version number is a quite common practice, especially while in development phase. That is why I believe we should fix this bug as soon as possible, to make life of developers easier. Reference of a similar bug, which was however more Snappy specific: https://bugs.launchpad.net/ubuntu/+source/click-apparmor/+bug/1422744 To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-developer-experience/+bug/1549369/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1549369] Re: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device.
Lets go with the click fix ** Also affects: click (Ubuntu) Importance: Undecided Status: New ** Changed in: canonical-devices-system-image Importance: Undecided => Medium ** Changed in: canonical-devices-system-image Status: Incomplete => Confirmed ** Changed in: canonical-devices-system-image Milestone: None => backlog ** Changed in: canonical-devices-system-image Assignee: (unassigned) => Alejandro J. Cura (alecu) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to click-apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1549369 Title: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device. Status in Client Developer Experience: New Status in Canonical System Image: Confirmed Status in click package in Ubuntu: New Status in click-apparmor package in Ubuntu: Incomplete Bug description: On Krillin, as of rc-proposed r264, modifying the application apparmor manifest and then deploying the application to the device *without* increasing the app version will not trigger the apparmor profile update. As a consequence, the developer is left confused because the app is still complaining about apparmor denials even after he modified the apparmo manifest and deployed the new .click package. Deploying changes to an application without updating its version number is a quite common practice, especially while in development phase. That is why I believe we should fix this bug as soon as possible, to make life of developers easier. Reference of a similar bug, which was however more Snappy specific: https://bugs.launchpad.net/ubuntu/+source/click-apparmor/+bug/1422744 To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-developer-experience/+bug/1549369/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1549369] Re: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device.
Actually, in examining this more closely, adjusting click-apparmor in this manner will trigger a full policy recompile on first boot after upgrade. Pat, please let me know if this is acceptable. If not, click could be adjusted as I suggested and this would not trigger a policy recompile. ** Changed in: canonical-devices-system-image Status: Confirmed => Incomplete ** Changed in: canonical-devices-system-image Assignee: Jamie Strandboge (jdstrand) => (unassigned) ** Changed in: click-apparmor (Ubuntu) Status: Confirmed => Incomplete ** Changed in: click-apparmor (Ubuntu) Assignee: (unassigned) => Pat McGowan (pat-mcgowan) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to click-apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1549369 Title: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device. Status in Client Developer Experience: New Status in Canonical System Image: Incomplete Status in click-apparmor package in Ubuntu: Incomplete Bug description: On Krillin, as of rc-proposed r264, modifying the application apparmor manifest and then deploying the application to the device *without* increasing the app version will not trigger the apparmor profile update. As a consequence, the developer is left confused because the app is still complaining about apparmor denials even after he modified the apparmo manifest and deployed the new .click package. Deploying changes to an application without updating its version number is a quite common practice, especially while in development phase. That is why I believe we should fix this bug as soon as possible, to make life of developers easier. Reference of a similar bug, which was however more Snappy specific: https://bugs.launchpad.net/ubuntu/+source/click-apparmor/+bug/1422744 To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-developer-experience/+bug/1549369/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1549369] Re: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device.
AIUI this is not a bug in click-apparmor but click itself. While the hook is being run, click isn't updating the timestamps on the click hook symlink. Ie: Install the old click: $ cd old $ sudo click install --force-missing-framework --user=$USER ./*0.7_all.click --allow-unauthenticated ... $ stat /var/lib/apparmor/clicks/*_0.7.json ... Access: (0777/lrwxrwxrwx) Uid: (0/root) Gid: (0/root) Access: 2016-03-08 16:31:16.352376489 -0600 Modify: 2016-03-08 16:31:16.288376439 -0600 Change: 2016-03-08 16:31:16.288376439 -0600 ... $ cat /var/lib/apparmor/clicks/*_0.7.json { "template": "ubuntu-webapp", "policy_groups": [ "audio", "location", "networking", "video" ], "policy_version": 1.0 } Install a click with an updated security manifest but same version: $ cd ../new $ sudo click install --force-missing-framework --user=$USER ./*0.7_all.click --allow-unauthenticated ... $ stat /var/lib/apparmor/clicks/*_0.7.json ... Access: (0777/lrwxrwxrwx) Uid: (0/root) Gid: (0/root) Access: 2016-03-08 16:31:16.352376489 -0600 Modify: 2016-03-08 16:31:16.288376439 -0600 Change: 2016-03-08 16:31:16.288376439 -0600 ... $ cat /var/lib/apparmor/clicks/*_0.7.json { "template": "ubuntu-webapp", "policy_groups": [ "audio", "location", "networking", "video", "camera" ], "policy_version": 1.0 } Notice that will the contents of the security manifest is updated, the mtime of the symlink was not. click-apparmor currently requires that the mtime be updated. This is due to install_link() in lib/click/hooks.vala: if (is_symlink (link) && FileUtils.read_link (link) == target) return; One way to achieve this would be to recreate the symlink on install if the symlink exists. Alternatively, click-apparmor could also consider the ctime of the target file compared to the symlink's mtime. While it seems like a fix in click is the right choice, I believe only click- apparmor cares about these sorts of things, and a change there would be localized to only click-apparmor and therefore less risky. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to click-apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1549369 Title: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device. Status in Client Developer Experience: New Status in Canonical System Image: Confirmed Status in click-apparmor package in Ubuntu: Confirmed Bug description: On Krillin, as of rc-proposed r264, modifying the application apparmor manifest and then deploying the application to the device *without* increasing the app version will not trigger the apparmor profile update. As a consequence, the developer is left confused because the app is still complaining about apparmor denials even after he modified the apparmo manifest and deployed the new .click package. Deploying changes to an application without updating its version number is a quite common practice, especially while in development phase. That is why I believe we should fix this bug as soon as possible, to make life of developers easier. Reference of a similar bug, which was however more Snappy specific: https://bugs.launchpad.net/ubuntu/+source/click-apparmor/+bug/1422744 To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-developer-experience/+bug/1549369/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1549369] Re: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device.
** Changed in: canonical-devices-system-image Status: New => Confirmed ** Changed in: canonical-devices-system-image Assignee: (unassigned) => Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to click-apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1549369 Title: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device. Status in Client Developer Experience: New Status in Canonical System Image: Confirmed Status in click-apparmor package in Ubuntu: Confirmed Bug description: On Krillin, as of rc-proposed r264, modifying the application apparmor manifest and then deploying the application to the device *without* increasing the app version will not trigger the apparmor profile update. As a consequence, the developer is left confused because the app is still complaining about apparmor denials even after he modified the apparmo manifest and deployed the new .click package. Deploying changes to an application without updating its version number is a quite common practice, especially while in development phase. That is why I believe we should fix this bug as soon as possible, to make life of developers easier. Reference of a similar bug, which was however more Snappy specific: https://bugs.launchpad.net/ubuntu/+source/click-apparmor/+bug/1422744 To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-developer-experience/+bug/1549369/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1549369] Re: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device.
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: click-apparmor (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to click-apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1549369 Title: Updating the apparmor manifest and deploying the new code without increasing app version does not trigger apparmor profile update on the device. Status in Client Developer Experience: New Status in Canonical System Image: New Status in click-apparmor package in Ubuntu: Confirmed Bug description: On Krillin, as of rc-proposed r264, modifying the application apparmor manifest and then deploying the application to the device *without* increasing the app version will not trigger the apparmor profile update. As a consequence, the developer is left confused because the app is still complaining about apparmor denials even after he modified the apparmo manifest and deployed the new .click package. Deploying changes to an application without updating its version number is a quite common practice, especially while in development phase. That is why I believe we should fix this bug as soon as possible, to make life of developers easier. Reference of a similar bug, which was however more Snappy specific: https://bugs.launchpad.net/ubuntu/+source/click-apparmor/+bug/1422744 To manage notifications about this bug go to: https://bugs.launchpad.net/canonical-developer-experience/+bug/1549369/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp