Bluez Utilities

Merge lp:~ssweeny/bluez/snappy-interface into lp:~bluetooth/bluez/snap-core-rolling

snappy-interface
Merge into snap-core-rolling

Proposed by Scott Sweeny on 2016-04-19

Status:	Merged
Approved by:	Simon Fels on 2016-04-28
Approved revision:	48
Merged at revision:	41
Proposed branch:	lp:~ssweeny/bluez/snappy-interface
Merge into:	lp:~bluetooth/bluez/snap-core-rolling
Prerequisite:	lp:~morphis/bluez/fix-snapcraft-source
Diff against target:	1457 lines (+13/-1384) 6 files modified bluez.apparmor (+0/-222) bluez.seccomp (+0/-457) obex.apparmor (+0/-225) obex.seccomp (+0/-457) parts/plugins/x-autotools.py (+3/-3) snapcraft.yaml (+10/-20)
To merge this branch:	bzr merge lp:~ssweeny/bluez/snappy-interface
Related bugs:	Link a bug report

Reviewer	Date Requested	Status
Simon Fels	2016-04-20	Approve on 2016-04-28
Tony Espy	2016-04-20	Pending
Bluetooth	2016-04-19	Pending
Review via email: mp+292304@code.launchpad.net

Commit message

Use the new bluez interface in ubuntu-core

Description of the change

This branch contains the updated snapcraft config to use the new bluez interface in ubuntu-core.

Tested against a fixes branch[1] that will hopefully soon be merged into ubuntu-core.

[1] https://github.com/ubuntu-core/snappy/pull/1037

lp:~ssweeny/bluez/snappy-interface updated on 2016-04-19

47. By Scott Sweeny on 2016-04-19: Actually remove unused policy files

Revision history for this message

Simon Fels (morphis) wrote on 2016-04-20:

Left one naming related comment inline but otherwise LGTM

review: Needs Fixing

lp:~ssweeny/bluez/snappy-interface updated on 2016-04-20

48. By Scott Sweeny on 2016-04-20: Rename slot/plug to service/client respectively

Revision history for this message

Scott Sweeny (ssweeny) wrote on 2016-04-20:

> Left one naming related comment inline but otherwise LGTM

Well-spotted. Done.

Should this naming scheme be part of our guidelines doc?

Revision history for this message

Simon Fels (morphis) wrote on 2016-04-20:

@Scott: That would be awesome if you can add a chapter for a interface naming convention.

Revision history for this message

Simon Fels (morphis) on 2016-04-28:

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Bluetooth

Scott Sweeny

 === removed file 'bluez.apparmor'
 --- bluez.apparmor	2016-02-01 18:56:49 +0000
 +++ bluez.apparmor	1970-01-01 00:00:00 +0000
@@ -1,222 +0,0 @@
--#
--# AppArmor confinement for bluez's bluetoothd
--#
--
--#include <tunables/global>
--
--# Specified profile variables
--###VAR###
--
--###PROFILEATTACH### (attach_disconnected) {
--  #include <abstractions/base>
--  #include <abstractions/openssl>
--
--  # Explicitly deny ptrace for now since it can be abused to break out of the
--  # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823
--  audit deny ptrace (trace),
--
--  # Explicitly deny mount, remount and umount
--  audit deny mount,
--  audit deny remount,
--  audit deny umount,
--
--  # Read-only for the install directory
--  @{CLICK_DIR}/@{APP_PKGNAME}/                   r,
--  @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/    r,
--  @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/**  mrklix,
--
--  # Read-only home area for other versions
--  owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/                  r,
--  owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/   r,
--  owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** mrkix,
--
--  # Writable home area for this version.
--  owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/   w,
--  owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,
--
--  # Read-only system area for other versions
--  /var/lib/snaps/@{APP_PKGNAME}/   r,
--  /var/lib/snaps/@{APP_PKGNAME}/** mrkix,
--
--  # Writable system area only for this version
--  /var/lib/snaps/@{APP_PKGNAME}/@{APP_VERSION}/   w,
--  /var/lib/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,
--
--  # The ubuntu-core-launcher creates an app-specific private restricted /tmp
--  # and will fail to launch the app if something goes wrong. As such, we can
--  # simply allow full access to /tmp.
--  /tmp/   r,
--  /tmp/** mrwlkix,
--
--  # Miscellaneous accesses
--  /etc/mime.types r,
--  @{PROC}/ r,
--  /etc/{,writable/}hostname r,
--  /etc/{,writable/}localtime r,
--  /etc/{,writable/}timezone r,
--  @{PROC}/sys/kernel/hostname r,
--  @{PROC}/sys/kernel/osrelease r,
--  @{PROC}/sys/fs/file-max r,
--  @{PROC}/sys/kernel/pid_max r,
--  # this leaks interface names and stats, but not in a way that is traceable
--  # to the user/device
--  @{PROC}/net/dev r,
--
--  #
--  # Various accesses that may or may not be required for your framework.
--  # Adjust as necessary for your services.
--  #
--
--  # Shell (do not usually need abstractions/bash)
--  #include <abstractions/consoles>
--  /bin/bash ixr,
--  /bin/dash ixr,
--  /etc/bash.bashrc r,
--  /usr/share/terminfo/** r,
--  /etc/inputrc r,
--  deny @{HOME}/.inputrc r,
--  # Common utilities for shell scripts
--  /{,usr/}bin/{,g,m}awk ixr,
--  /{,usr/}bin/basename ixr,
--  /{,usr/}bin/bunzip2 ixr,
--  /{,usr/}bin/bzcat ixr,
--  /{,usr/}bin/bzdiff ixr,
--  /{,usr/}bin/bzgrep ixr,
--  /{,usr/}bin/bzip2 ixr,
--  /{,usr/}bin/cat ixr,
--  /{,usr/}bin/chmod ixr,
--  /{,usr/}bin/cmp ixr,
--  /{,usr/}bin/cp ixr,
--  /{,usr/}bin/cpio ixr,
--  /{,usr/}bin/cut ixr,
--  /{,usr/}bin/date ixr,
--  /{,usr/}bin/dd ixr,
--  /{,usr/}bin/diff{,3} ixr,
--  /{,usr/}bin/dir ixr,
--  /{,usr/}bin/dirname ixr,
--  /{,usr/}bin/echo ixr,
--  /{,usr/}bin/{,e,f,r}grep ixr,
--  /{,usr/}bin/env ixr,
--  /{,usr/}bin/expr ixr,
--  /{,usr/}bin/false ixr,
--  /{,usr/}bin/find ixr,
--  /{,usr/}bin/fmt ixr,
--  /{,usr/}bin/getopt ixr,
--  /{,usr/}bin/head ixr,
--  /{,usr/}bin/hostname ixr,
--  /{,usr/}bin/id ixr,
--  /{,usr/}bin/igawk ixr,
--  /{,usr/}bin/kill ixr,
--  /{,usr/}bin/ldd ixr,
--  /{,usr/}bin/ln ixr,
--  /{,usr/}bin/line ixr,
--  /{,usr/}bin/link ixr,
--  /{,usr/}bin/logger ixr,
--  /{,usr/}bin/ls ixr,
--  /{,usr/}bin/md5sum ixr,
--  /{,usr/}bin/mkdir ixr,
--  /{,usr/}bin/mktemp ixr,
--  /{,usr/}bin/mv ixr,
--  /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial
--  /{,usr/}bin/pgrep ixr,
--  /{,usr/}bin/printenv ixr,
--  /{,usr/}bin/printf ixr,
--  /{,usr/}bin/ps ixr,
--  /{,usr/}bin/pwd ixr,
--  /{,usr/}bin/readlink ixr,
--  /{,usr/}bin/realpath ixr,
--  /{,usr/}bin/rev ixr,
--  /{,usr/}bin/rm ixr,
--  /{,usr/}bin/rmdir ixr,
--  /{,usr/}bin/sed ixr,
--  /{,usr/}bin/seq ixr,
--  /{,usr/}bin/sleep ixr,
--  /{,usr/}bin/sort ixr,
--  /{,usr/}bin/stat ixr,
--  /{,usr/}bin/tac ixr,
--  /{,usr/}bin/tail ixr,
--  /{,usr/}bin/tar ixr,
--  /{,usr/}bin/tee ixr,
--  /{,usr/}bin/test ixr,
--  /{,usr/}bin/tempfile ixr,
--  /{,usr/}bin/touch ixr,
--  /{,usr/}bin/tr ixr,
--  /{,usr/}bin/true ixr,
--  /{,usr/}bin/uname ixr,
--  /{,usr/}bin/uniq ixr,
--  /{,usr/}bin/unlink ixr,
--  /{,usr/}bin/unxz ixr,
--  /{,usr/}bin/unzip ixr,
--  /{,usr/}bin/vdir ixr,
--  /{,usr/}bin/wc ixr,
--  /{,usr/}bin/which ixr,
--  /{,usr/}bin/xargs ixr,
--  /{,usr/}bin/xz ixr,
--  /{,usr/}bin/yes ixr,
--  /{,usr/}bin/zcat ixr,
--  /{,usr/}bin/z{,e,f}grep ixr,
--  /{,usr/}bin/zip ixr,
--  /{,usr/}bin/zipgrep ixr,
--  /{,usr/}bin/uptime ixr,
--  @{PROC}/uptime r,
--  @{PROC}/loadavg r,
--
--  #
--  # Framework service/binary specific rules below here
--  #
--  network bluetooth,
--
--  capability net_admin,
--  capability net_bind_service,
--
--  # File accesses
--  /sys/bus/usb/drivers/btusb/     r,
--  /sys/bus/usb/drivers/btusb/**   r,
--  /sys/class/bluetooth/           r,
--  /sys/devices/**/bluetooth/      rw,
--  /sys/devices/**/bluetooth/**    rw,
--  /sys/devices/**/id/chassis_type r,
--
--  # TODO: use snappy hardware assignment for this once LP: #1498917 is fixed
--  /dev/rfkill rw,
--
--  # DBus accesses
--  #include <abstractions/dbus-strict>
--  dbus (send)
--     bus=system
--     path=/org/freedesktop/DBus
--     interface=org.freedesktop.DBus
--     member={Request,Release}Name
--     peer=(name=org.freedesktop.DBus),
--
--  dbus (send)
--    bus=system
--    path=/org/freedesktop/*
--    interface=org.freedesktop.DBus.Properties
--    peer=(label=unconfined),
--
--  # Allow binding the service to the requested connection name
--  dbus (bind)
--      bus=system
--      name="org.bluez",
--
--  # Allow traffic to/from our path and interface with any method
--  dbus (receive, send)
--      bus=system
--      path=/org/bluez{,/**}
--      interface=org.bluez.*,
--
--  # Allow traffic to/from org.freedesktop.DBus for bluez service
--  dbus (receive, send)
--      bus=system
--      path=/
--      interface=org.freedesktop.DBus.**,
--  dbus (receive, send)
--      bus=system
--      path=/org/bluez{,/**}
--      interface=org.freedesktop.DBus.**,
--
--  # Allow replacing our dbus policy configuration file until
--  # snappy has a better way to do this.
--  /etc/dbus-1/system.d/bluez_* rw,
--}
 === removed file 'bluez.seccomp'
 --- bluez.seccomp	2016-01-26 00:25:18 +0000
 +++ bluez.seccomp	1970-01-01 00:00:00 +0000
@@ -1,457 +0,0 @@
--#
--# Seccomp policy for bluez
--#
--
--# Dangerous syscalls that we don't ever want to allow
--
--# kexec
--# EXPLICITLY DENY kexec_load
--
--# kernel modules
--# EXPLICITLY DENY create_module
--# EXPLICITLY DENY init_module
--# EXPLICITLY DENY finit_module
--# EXPLICITLY DENY delete_module
--
--# these have a history of vulnerabilities, are not widely used, and
--# open_by_handle_at has been used to break out of docker containers by brute
--# forcing the handle value: http://stealth.openwall.net/xSports/shocker.c
--# EXPLICITLY DENY name_to_handle_at
--# EXPLICITLY DENY open_by_handle_at
--
--# Explicitly deny ptrace since it can be abused to break out of the seccomp
--# sandbox
--# EXPLICITLY DENY ptrace
--
--# Explicitly deny capability mknod so apps can't create devices
--# EXPLICITLY DENY mknod
--# EXPLICITLY DENY mknodat
--
--# Explicitly deny (u)mount so apps can't change mounts in their namespace
--# EXPLICITLY DENY mount
--# EXPLICITLY DENY umount
--# EXPLICITLY DENY umount2
--
--# Explicitly deny kernel keyring access
--# EXPLICITLY DENY add_key
--# EXPLICITLY DENY keyctl
--# EXPLICITLY DENY request_key
--
--# end dangerous syscalls
--
--access
--faccessat
--
--alarm
--brk
--
--# ARM private syscalls
--breakpoint
--cacheflush
--set_tls
--usr26
--usr32
--
--capget
--
--chdir
--fchdir
--
--# We can't effectively block file perms due to open() with O_CREAT, so allow
--# chmod until we have syscall arg filtering (LP: #1446748)
--chmod
--fchmod
--fchmodat
--
--# snappy doesn't currently support per-app UID/GIDs so don't allow chown. To
--# properly support chown, we need to have syscall arg filtering (LP: #1446748)
--# and per-app UID/GIDs.
--#chown
--#chown32
--#fchown
--#fchown32
--#fchownat
--#lchown
--#lchown32
--
--clock_getres
--clock_gettime
--clock_nanosleep
--clone
--close
--creat
--dup
--dup2
--dup3
--epoll_create
--epoll_create1
--epoll_ctl
--epoll_ctl_old
--epoll_pwait
--epoll_wait
--epoll_wait_old
--eventfd
--eventfd2
--execve
--execveat
--_exit
--exit
--exit_group
--fallocate
--
--# requires CAP_SYS_ADMIN
--#fanotify_init
--#fanotify_mark
--
--fcntl
--fcntl64
--flock
--fork
--ftime
--futex
--get_mempolicy
--get_robust_list
--get_thread_area
--getcpu
--getcwd
--getdents
--getdents64
--getegid
--getegid32
--geteuid
--geteuid32
--getgid
--getgid32
--getgroups
--getgroups32
--getitimer
--getpgid
--getpgrp
--getpid
--getppid
--getpriority
--getrandom
--getresgid
--getresgid32
--getresuid
--getresuid32
--
--getrlimit
--ugetrlimit
--
--getrusage
--getsid
--gettid
--gettimeofday
--getuid
--getuid32
--
--getxattr
--fgetxattr
--lgetxattr
--
--inotify_add_watch
--inotify_init
--inotify_init1
--inotify_rm_watch
--
--# Needed by shell
--ioctl
--
--io_cancel
--io_destroy
--io_getevents
--io_setup
--io_submit
--ioprio_get
--# affects other processes, requires CAP_SYS_ADMIN. Potentially allow with
--# syscall filtering of (at least) IOPRIO_WHO_USER (LP: #1446748)
--#ioprio_set
--
--ipc
--kill
--link
--linkat
--
--listxattr
--llistxattr
--flistxattr
--
--lseek
--llseek
--_llseek
--lstat
--lstat64
--
--madvise
--fadvise64
--fadvise64_64
--arm_fadvise64_64
--
--mbind
--mincore
--mkdir
--mkdirat
--mlock
--mlockall
--mmap
--mmap2
--mprotect
--
--# LP: #1448184 - these aren't currently mediated by AppArmor. Deny for now
--#mq_getsetattr
--#mq_notify
--#mq_open
--#mq_timedreceive
--#mq_timedsend
--#mq_unlink
--
--mremap
--msgctl
--msgget
--msgrcv
--msgsnd
--msync
--munlock
--munlockall
--munmap
--
--nanosleep
--
--# LP: #1446748 - deny until we have syscall arg filtering. Alternatively, set
--# RLIMIT_NICE hard limit for apps, launch them under an appropriate nice value
--# and allow this call
--#nice
--
--# LP: #1446748 - support syscall arg filtering for mode_t with O_CREAT
--open
--
--openat
--pause
--pipe
--pipe2
--poll
--ppoll
--
--# LP: #1446748 - support syscall arg filtering
--prctl
--arch_prctl
--
--read
--pread
--pread64
--preadv
--readv
--
--readahead
--readdir
--readlink
--readlinkat
--remap_file_pages
--
--removexattr
--fremovexattr
--lremovexattr
--
--rename
--renameat
--renameat2
--
--# The man page says this shouldn't be needed, but we've seen denials for it
--# in the wild
--restart_syscall
--
--rmdir
--rt_sigaction
--rt_sigpending
--rt_sigprocmask
--rt_sigqueueinfo
--rt_sigreturn
--rt_sigsuspend
--rt_sigtimedwait
--rt_tgsigqueueinfo
--sched_getaffinity
--sched_getattr
--sched_getparam
--sched_get_priority_max
--sched_get_priority_min
--sched_getscheduler
--sched_rr_get_interval
--# LP: #1446748 - when support syscall arg filtering, enforce pid_t is 0 so the
--# app may only change its own scheduler
--sched_setscheduler
--
--sched_yield
--
--select
--_newselect
--pselect
--pselect6
--
--semctl
--semget
--semop
--semtimedop
--sendfile
--sendfile64
--
--# snappy doesn't currently support per-app UID/GIDs so don't allow this family
--# of syscalls. To properly support these, we need to have syscall arg filtering
--# (LP: #1446748) and per-app UID/GIDs.
--#setgid
--#setgid32
--#setgroups
--#setgroups32
--#setregid
--#setregid32
--#setresgid
--#setresgid32
--#setresuid
--#setresuid32
--#setreuid
--#setreuid32
--#setuid
--#setuid32
--
--# These break isolation but are common and can't be mediated at the seccomp
--# level with arg filtering
--setpgid
--setpgrp
--
--set_thread_area
--setitimer
--
--# apps don't have CAP_SYS_RESOURCE so these can't be abused to raise the hard
--# limits
--setrlimit
--prlimit64
--
--set_mempolicy
--set_robust_list
--setsid
--set_tid_address
--
--setxattr
--fsetxattr
--lsetxattr
--
--shmat
--shmctl
--shmdt
--shmget
--signal
--sigaction
--signalfd
--signalfd4
--sigaltstack
--sigpending
--sigprocmask
--sigreturn
--sigsuspend
--sigtimedwait
--sigwaitinfo
--
--# Per man page, on Linux this is limited to only AF_UNIX so it is ok to have
--# in the default template
--socketpair
--
--splice
--
--stat
--stat64
--fstat
--fstat64
--fstatat64
--lstat
--newfstatat
--oldfstat
--oldlstat
--oldstat
--
--statfs
--statfs64
--fstatfs
--fstatfs64
--statvfs
--fstatvfs
--ustat
--
--symlink
--symlinkat
--
--sync
--sync_file_range
--sync_file_range2
--arm_sync_file_range
--fdatasync
--fsync
--syncfs
--sysinfo
--syslog
--tee
--tgkill
--time
--timer_create
--timer_delete
--timer_getoverrun
--timer_gettime
--timer_settime
--timerfd_create
--timerfd_gettime
--timerfd_settime
--times
--tkill
--
--truncate
--truncate64
--ftruncate
--ftruncate64
--
--umask
--
--uname
--olduname
--oldolduname
--
--unlink
--unlinkat
--
--utime
--utimensat
--utimes
--futimesat
--
--vfork
--vmsplice
--wait4
--oldwait4
--waitpid
--waitid
--
--write
--writev
--pwrite
--pwrite64
--pwritev
--
--# Can communicate with DBus system service
--accept
--accept4
--bind
--connect
--getpeername
--getsockname
--getsockopt
--listen
--recv
--recvfrom
--recvmmsg
--recvmsg
--send
--sendmmsg
--sendmsg
--sendto
--setsockopt
--shutdown
--socketpair
--socket
 === removed file 'obex.apparmor'
 --- obex.apparmor	2016-02-01 18:56:32 +0000
 +++ obex.apparmor	1970-01-01 00:00:00 +0000
@@ -1,225 +0,0 @@
--#
--# AppArmor confinement for bluez obexd
--#
--
--#include <tunables/global>
--
--# Specified profile variables
--###VAR###
--
--###PROFILEATTACH### (attach_disconnected) {
--  #include <abstractions/base>
--  #include <abstractions/nameservice>
--  #include <abstractions/openssl>
--
--  # Explicitly deny ptrace for now since it can be abused to break out of the
--  # seccomp sandbox. https://lkml.org/lkml/2015/3/18/823
--  audit deny ptrace (trace),
--
--  # Explicitly deny mount, remount and umount
--  audit deny mount,
--  audit deny remount,
--  audit deny umount,
--
--  # Read-only for the install directory
--  @{CLICK_DIR}/@{APP_PKGNAME}/                   r,
--  @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/    r,
--  @{CLICK_DIR}/@{APP_PKGNAME}/@{APP_VERSION}/**  mrklix,
--
--  # Read-only home area for other versions
--  owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/                  r,
--  owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/   r,
--  owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** mrkix,
--
--  # Writable home area for this version.
--  owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/   w,
--  owner @{HOMEDIRS}/*/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,
--
--  # Read-only system area for other versions
--  /var/lib/snaps/@{APP_PKGNAME}/   r,
--  /var/lib/snaps/@{APP_PKGNAME}/** mrkix,
--
--  # Writable system area only for this version
--  /var/lib/snaps/@{APP_PKGNAME}/@{APP_VERSION}/   w,
--  /var/lib/snaps/@{APP_PKGNAME}/@{APP_VERSION}/** wl,
--
--  # The ubuntu-core-launcher creates an app-specific private restricted /tmp
--  # and will fail to launch the app if something goes wrong. As such, we can
--  # simply allow full access to /tmp.
--  /tmp/   r,
--  /tmp/** mrwlkix,
--
--  # Miscellaneous accesses
--  /etc/mime.types r,
--  @{PROC}/ r,
--  /etc/{,writable/}hostname r,
--  /etc/{,writable/}localtime r,
--  /etc/{,writable/}timezone r,
--  @{PROC}/sys/kernel/hostname r,
--  @{PROC}/sys/kernel/osrelease r,
--  @{PROC}/sys/fs/file-max r,
--  @{PROC}/sys/kernel/pid_max r,
--  # this leaks interface names and stats, but not in a way that is traceable
--  # to the user/device
--  @{PROC}/net/dev r,
--
--  #
--  # Various accesses that may or may not be required for your framework.
--  # Adjust as necessary for your services.
--  #
--
--  # Shell (do not usually need abstractions/bash)
--  #include <abstractions/consoles>
--  /bin/bash ixr,
--  /bin/dash ixr,
--  /etc/bash.bashrc r,
--  /usr/share/terminfo/** r,
--  /etc/inputrc r,
--  deny @{HOME}/.inputrc r,
--  # Common utilities for shell scripts
--  /{,usr/}bin/{,g,m}awk ixr,
--  /{,usr/}bin/basename ixr,
--  /{,usr/}bin/bunzip2 ixr,
--  /{,usr/}bin/bzcat ixr,
--  /{,usr/}bin/bzdiff ixr,
--  /{,usr/}bin/bzgrep ixr,
--  /{,usr/}bin/bzip2 ixr,
--  /{,usr/}bin/cat ixr,
--  /{,usr/}bin/chmod ixr,
--  /{,usr/}bin/cmp ixr,
--  /{,usr/}bin/cp ixr,
--  /{,usr/}bin/cpio ixr,
--  /{,usr/}bin/cut ixr,
--  /{,usr/}bin/date ixr,
--  /{,usr/}bin/dd ixr,
--  /{,usr/}bin/diff{,3} ixr,
--  /{,usr/}bin/dir ixr,
--  /{,usr/}bin/dirname ixr,
--  /{,usr/}bin/echo ixr,
--  /{,usr/}bin/{,e,f,r}grep ixr,
--  /{,usr/}bin/env ixr,
--  /{,usr/}bin/expr ixr,
--  /{,usr/}bin/false ixr,
--  /{,usr/}bin/find ixr,
--  /{,usr/}bin/fmt ixr,
--  /{,usr/}bin/getopt ixr,
--  /{,usr/}bin/head ixr,
--  /{,usr/}bin/hostname ixr,
--  /{,usr/}bin/id ixr,
--  /{,usr/}bin/igawk ixr,
--  /{,usr/}bin/kill ixr,
--  /{,usr/}bin/ldd ixr,
--  /{,usr/}bin/ln ixr,
--  /{,usr/}bin/line ixr,
--  /{,usr/}bin/link ixr,
--  /{,usr/}bin/logger ixr,
--  /{,usr/}bin/ls ixr,
--  /{,usr/}bin/md5sum ixr,
--  /{,usr/}bin/mkdir ixr,
--  /{,usr/}bin/mktemp ixr,
--  /{,usr/}bin/mv ixr,
--  /{,usr/}bin/openssl ixr, # may cause harmless capability block_suspend denial
--  /{,usr/}bin/pgrep ixr,
--  /{,usr/}bin/printenv ixr,
--  /{,usr/}bin/printf ixr,
--  /{,usr/}bin/ps ixr,
--  /{,usr/}bin/pwd ixr,
--  /{,usr/}bin/readlink ixr,
--  /{,usr/}bin/realpath ixr,
--  /{,usr/}bin/rev ixr,
--  /{,usr/}bin/rm ixr,
--  /{,usr/}bin/rmdir ixr,
--  /{,usr/}bin/sed ixr,
--  /{,usr/}bin/seq ixr,
--  /{,usr/}bin/sleep ixr,
--  /{,usr/}bin/sort ixr,
--  /{,usr/}bin/stat ixr,
--  /{,usr/}bin/tac ixr,
--  /{,usr/}bin/tail ixr,
--  /{,usr/}bin/tar ixr,
--  /{,usr/}bin/tee ixr,
--  /{,usr/}bin/test ixr,
--  /{,usr/}bin/tempfile ixr,
--  /{,usr/}bin/touch ixr,
--  /{,usr/}bin/tr ixr,
--  /{,usr/}bin/true ixr,
--  /{,usr/}bin/uname ixr,
--  /{,usr/}bin/uniq ixr,
--  /{,usr/}bin/unlink ixr,
--  /{,usr/}bin/unxz ixr,
--  /{,usr/}bin/unzip ixr,
--  /{,usr/}bin/vdir ixr,
--  /{,usr/}bin/wc ixr,
--  /{,usr/}bin/which ixr,
--  /{,usr/}bin/xargs ixr,
--  /{,usr/}bin/xz ixr,
--  /{,usr/}bin/yes ixr,
--  /{,usr/}bin/zcat ixr,
--  /{,usr/}bin/z{,e,f}grep ixr,
--  /{,usr/}bin/zip ixr,
--  /{,usr/}bin/zipgrep ixr,
--  /{,usr/}bin/uptime ixr,
--  @{PROC}/uptime r,
--  @{PROC}/loadavg r,
--
--  #
--  # Framework service/binary specific rules below here
--  #
--  network bluetooth,
--
--  capability net_admin,
--  capability net_bind_service,
--
--  # File accesses
--  /sys/bus/usb/drivers/btusb/     r,
--  /sys/bus/usb/drivers/btusb/**   r,
--  /sys/class/bluetooth/           r,
--  /sys/devices/**/bluetooth/      rw,
--  /sys/devices/**/bluetooth/**    rw,
--  /sys/devices/**/id/chassis_type r,
--
--  # TODO: use snappy hardware assignment for this once LP: #1498917 is fixed
--  /dev/rfkill rw,
--
--  # DBus accesses
--  #include <abstractions/dbus-strict>
--  dbus (send)
--     bus=system
--     path=/org/freedesktop/DBus
--     interface=org.freedesktop.DBus
--     member={Request,Release}Name
--     peer=(name=org.freedesktop.DBus),
--
--  dbus (send)
--    bus=system
--    path=/org/freedesktop/*
--    interface=org.freedesktop.DBus.Properties
--    peer=(label=unconfined),
--
--  dbus (send)
--    bus=system
--    path=/org/freedesktop/*
--    interface=org.freedesktop.DBus.ObjectManager
--    peer=(label=unconfined),
--
--  # Allow binding the service to the requested connection name
--  dbus (bind)
--      bus=system
--      name="org.bluez.obex",
--
--  # Allow traffic to/from our path and interface with any method
--  dbus (receive, send)
--      bus=system
--      path=/org/bluez{,/**}
--      interface=org.bluez.*,
--
--  # Allow traffic to/from org.freedesktop.DBus for bluez service
--  dbus (receive, send)
--      bus=system
--      path=/
--      interface=org.freedesktop.DBus.**,
--  dbus (receive, send)
--      bus=system
--      path=/org/bluez{,/**}
--      interface=org.freedesktop.DBus.**,
--}
 === removed file 'obex.seccomp'
 --- obex.seccomp	2016-01-28 01:28:49 +0000
 +++ obex.seccomp	1970-01-01 00:00:00 +0000
@@ -1,457 +0,0 @@
--#
--# Seccomp policy for bluez
--#
--
--# Dangerous syscalls that we don't ever want to allow
--
--# kexec
--# EXPLICITLY DENY kexec_load
--
--# kernel modules
--# EXPLICITLY DENY create_module
--# EXPLICITLY DENY init_module
--# EXPLICITLY DENY finit_module
--# EXPLICITLY DENY delete_module
--
--# these have a history of vulnerabilities, are not widely used, and
--# open_by_handle_at has been used to break out of docker containers by brute
--# forcing the handle value: http://stealth.openwall.net/xSports/shocker.c
--# EXPLICITLY DENY name_to_handle_at
--# EXPLICITLY DENY open_by_handle_at
--
--# Explicitly deny ptrace since it can be abused to break out of the seccomp
--# sandbox
--# EXPLICITLY DENY ptrace
--
--# Explicitly deny capability mknod so apps can't create devices
--# EXPLICITLY DENY mknod
--# EXPLICITLY DENY mknodat
--
--# Explicitly deny (u)mount so apps can't change mounts in their namespace
--# EXPLICITLY DENY mount
--# EXPLICITLY DENY umount
--# EXPLICITLY DENY umount2
--
--# Explicitly deny kernel keyring access
--# EXPLICITLY DENY add_key
--# EXPLICITLY DENY keyctl
--# EXPLICITLY DENY request_key
--
--# end dangerous syscalls
--
--access
--faccessat
--
--alarm
--brk
--
--# ARM private syscalls
--breakpoint
--cacheflush
--set_tls
--usr26
--usr32
--
--capget
--
--chdir
--fchdir
--
--# We can't effectively block file perms due to open() with O_CREAT, so allow
--# chmod until we have syscall arg filtering (LP: #1446748)
--chmod
--fchmod
--fchmodat
--
--# snappy doesn't currently support per-app UID/GIDs so don't allow chown. To
--# properly support chown, we need to have syscall arg filtering (LP: #1446748)
--# and per-app UID/GIDs.
--#chown
--#chown32
--#fchown
--#fchown32
--#fchownat
--#lchown
--#lchown32
--
--clock_getres
--clock_gettime
--clock_nanosleep
--clone
--close
--creat
--dup
--dup2
--dup3
--epoll_create
--epoll_create1
--epoll_ctl
--epoll_ctl_old
--epoll_pwait
--epoll_wait
--epoll_wait_old
--eventfd
--eventfd2
--execve
--execveat
--_exit
--exit
--exit_group
--fallocate
--
--# requires CAP_SYS_ADMIN
--#fanotify_init
--#fanotify_mark
--
--fcntl
--fcntl64
--flock
--fork
--ftime
--futex
--get_mempolicy
--get_robust_list
--get_thread_area
--getcpu
--getcwd
--getdents
--getdents64
--getegid
--getegid32
--geteuid
--geteuid32
--getgid
--getgid32
--getgroups
--getgroups32
--getitimer
--getpgid
--getpgrp
--getpid
--getppid
--getpriority
--getrandom
--getresgid
--getresgid32
--getresuid
--getresuid32
--
--getrlimit
--ugetrlimit
--
--getrusage
--getsid
--gettid
--gettimeofday
--getuid
--getuid32
--
--getxattr
--fgetxattr
--lgetxattr
--
--inotify_add_watch
--inotify_init
--inotify_init1
--inotify_rm_watch
--
--# Needed by shell
--ioctl
--
--io_cancel
--io_destroy
--io_getevents
--io_setup
--io_submit
--ioprio_get
--# affects other processes, requires CAP_SYS_ADMIN. Potentially allow with
--# syscall filtering of (at least) IOPRIO_WHO_USER (LP: #1446748)
--#ioprio_set
--
--ipc
--kill
--link
--linkat
--
--listxattr
--llistxattr
--flistxattr
--
--lseek
--llseek
--_llseek
--lstat
--lstat64
--
--madvise
--fadvise64
--fadvise64_64
--arm_fadvise64_64
--
--mbind
--mincore
--mkdir
--mkdirat
--mlock
--mlockall
--mmap
--mmap2
--mprotect
--
--# LP: #1448184 - these aren't currently mediated by AppArmor. Deny for now
--#mq_getsetattr
--#mq_notify
--#mq_open
--#mq_timedreceive
--#mq_timedsend
--#mq_unlink
--
--mremap
--msgctl
--msgget
--msgrcv
--msgsnd
--msync
--munlock
--munlockall
--munmap
--
--nanosleep
--
--# LP: #1446748 - deny until we have syscall arg filtering. Alternatively, set
--# RLIMIT_NICE hard limit for apps, launch them under an appropriate nice value
--# and allow this call
--#nice
--
--# LP: #1446748 - support syscall arg filtering for mode_t with O_CREAT
--open
--
--openat
--pause
--pipe
--pipe2
--poll
--ppoll
--
--# LP: #1446748 - support syscall arg filtering
--prctl
--arch_prctl
--
--read
--pread
--pread64
--preadv
--readv
--
--readahead
--readdir
--readlink
--readlinkat
--remap_file_pages
--
--removexattr
--fremovexattr
--lremovexattr
--
--rename
--renameat
--renameat2
--
--# The man page says this shouldn't be needed, but we've seen denials for it
--# in the wild
--restart_syscall
--
--rmdir
--rt_sigaction
--rt_sigpending
--rt_sigprocmask
--rt_sigqueueinfo
--rt_sigreturn
--rt_sigsuspend
--rt_sigtimedwait
--rt_tgsigqueueinfo
--sched_getaffinity
--sched_getattr
--sched_getparam
--sched_get_priority_max
--sched_get_priority_min
--sched_getscheduler
--sched_rr_get_interval
--# LP: #1446748 - when support syscall arg filtering, enforce pid_t is 0 so the
--# app may only change its own scheduler
--sched_setscheduler
--
--sched_yield
--
--select
--_newselect
--pselect
--pselect6
--
--semctl
--semget
--semop
--semtimedop
--sendfile
--sendfile64
--
--# snappy doesn't currently support per-app UID/GIDs so don't allow this family
--# of syscalls. To properly support these, we need to have syscall arg filtering
--# (LP: #1446748) and per-app UID/GIDs.
--#setgid
--#setgid32
--#setgroups
--#setgroups32
--#setregid
--#setregid32
--#setresgid
--#setresgid32
--#setresuid
--#setresuid32
--#setreuid
--#setreuid32
--#setuid
--#setuid32
--
--# These break isolation but are common and can't be mediated at the seccomp
--# level with arg filtering
--setpgid
--setpgrp
--
--set_thread_area
--setitimer
--
--# apps don't have CAP_SYS_RESOURCE so these can't be abused to raise the hard
--# limits
--setrlimit
--prlimit64
--
--set_mempolicy
--set_robust_list
--setsid
--set_tid_address
--
--setxattr
--fsetxattr
--lsetxattr
--
--shmat
--shmctl
--shmdt
--shmget
--signal
--sigaction
--signalfd
--signalfd4
--sigaltstack
--sigpending
--sigprocmask
--sigreturn
--sigsuspend
--sigtimedwait
--sigwaitinfo
--
--# Per man page, on Linux this is limited to only AF_UNIX so it is ok to have
--# in the default template
--socketpair
--
--splice
--
--stat
--stat64
--fstat
--fstat64
--fstatat64
--lstat
--newfstatat
--oldfstat
--oldlstat
--oldstat
--
--statfs
--statfs64
--fstatfs
--fstatfs64
--statvfs
--fstatvfs
--ustat
--
--symlink
--symlinkat
--
--sync
--sync_file_range
--sync_file_range2
--arm_sync_file_range
--fdatasync
--fsync
--syncfs
--sysinfo
--syslog
--tee
--tgkill
--time
--timer_create
--timer_delete
--timer_getoverrun
--timer_gettime
--timer_settime
--timerfd_create
--timerfd_gettime
--timerfd_settime
--times
--tkill
--
--truncate
--truncate64
--ftruncate
--ftruncate64
--
--umask
--
--uname
--olduname
--oldolduname
--
--unlink
--unlinkat
--
--utime
--utimensat
--utimes
--futimesat
--
--vfork
--vmsplice
--wait4
--oldwait4
--waitpid
--waitid
--
--write
--writev
--pwrite
--pwrite64
--pwritev
--
--# Can communicate with DBus system service
--accept
--accept4
--bind
--connect
--getpeername
--getsockname
--getsockopt
--listen
--recv
--recvfrom
--recvmmsg
--recvmsg
--send
--sendmmsg
--sendmsg
--sendto
--setsockopt
--shutdown
--socketpair
--socket
 === modified file 'parts/plugins/x-autotools.py'
 --- parts/plugins/x-autotools.py	2016-04-20 17:42:41 +0000
 +++ parts/plugins/x-autotools.py	2016-04-20 17:42:41 +0000
@@ -72,8 +72,8 @@
          return schema
--    def __init__(self, name, options):
--        super().__init__(name, options)
++    def __init__(self, name, options, project):
++        super().__init__(name, options, project)
          self.build_packages.extend([
              'autoconf',
              'automake',
@@ -126,5 +126,5 @@
          self.run(configure_command + self.options.configflags)
          self.run(['make', '-j{}'.format(
--            snapcraft.common.get_parallel_build_count())])
++            self.project.parallel_build_count)])
          self.run(make_install_command)
 === modified file 'snapcraft.yaml'
 --- snapcraft.yaml	2016-04-20 17:42:41 +0000
 +++ snapcraft.yaml	2016-04-20 17:42:41 +0000
@@ -9,32 +9,24 @@
  apps:
    bluetoothctl:
      command: usr/bin/bluetoothctl
--    uses: [bluez-client]
++    plugs: [client]
    obexctl:
      command: usr/bin/obexctl
--    uses: [bluez-client]
++    plugs: [client]
    bluez:
      command: "usr/lib/bluetooth/bluetoothd -E"
      daemon: simple
--    uses: [bluez-service]
++    slots: [service]
    obex:
      command: "usr/lib/bluetooth/obexd"
      daemon: simple
--    uses: [obex-service]
--uses:
--  bluez-client:
--    type: migration-skill
--    caps: [bluez_client]
--  bluez-service:
--    type: migration-skill
--    security-policy:
--      apparmor: bluez.apparmor
--      seccomp: bluez.seccomp
--  obex-service:
--    type: migration-skill
--    security-policy:
--      apparmor: obex.apparmor
--      seccomp: obex.seccomp
++    slots: [service]
++plugs:
++  client:
++      interface: bluez
++slots:
++  service:
++      interface: bluez
  parts:
    bluez:
@@ -74,7 +66,5 @@
    dbus-configuration:
      plugin: copy
      files:
--      conf/bluez-dbus.conf: conf/bluez-dbus.conf
--      meta/framework-policy: meta/framework-policy
        copyright: usr/share/doc/bluez/copyright
        doc/overview.md: usr/share/doc/bluez/overview.md