[apparmor] Fwd: Re: owner usage for @{HOME} rules

Jamie Strandboge jamie at canonical.com
Tue Dec 18 22:39:22 UTC 2012 

Sigh, forgot to reply all...

-------- Original Message --------
Subject: Re: [apparmor] owner usage for @{HOME} rules
Date: Tue, 18 Dec 2012 16:38:41 -0600
From: Jamie Strandboge <jamie at canonical.com>
To: Simon Deziel <simon.deziel at gmail.com>

On 12/18/2012 04:26 PM, Simon Deziel wrote:
> Hi all,
> 
> I am wondering why some of the profile abstractions are not using the
> owner prefix with the variable @{HOME} while many others do (and some
> mix both)?
> 
> Some stats from my Ubuntu 12.04 box:
> 
> $ grep -crE '^[[:space:]]*@{HOME}' /etc/apparmor.d/abstractions/ | grep
> -v :0$
> /etc/apparmor.d/abstractions/kde:7
> /etc/apparmor.d/abstractions/X:2
> /etc/apparmor.d/abstractions/audio:3
> /etc/apparmor.d/abstractions/libvirt-qemu:1
> /etc/apparmor.d/abstractions/gnupg:6
> /etc/apparmor.d/abstractions/fonts:8
> /etc/apparmor.d/abstractions/gnome:12
> /etc/apparmor.d/abstractions/bash:4
> /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:2
> /etc/apparmor.d/abstractions/web-data:2
> 
> $ grep -crE '^[[:space:]]*owner[[:space:]]*@{HOME}'
> /etc/apparmor.d/abstractions/ | grep -v :0$
> /etc/apparmor.d/abstractions/X:1
> /etc/apparmor.d/abstractions/audio:4
> /etc/apparmor.d/abstractions/user-tmp:2
> /etc/apparmor.d/abstractions/user-write:9
> /etc/apparmor.d/abstractions/user-download:6
> /etc/apparmor.d/abstractions/user-mail:9
> /etc/apparmor.d/abstractions/enchant:2
> /etc/apparmor.d/abstractions/ibus:3
> /etc/apparmor.d/abstractions/ubuntu-media-players:2
> /etc/apparmor.d/abstractions/xdg-desktop:4
> /etc/apparmor.d/abstractions/user-manpages:3
> /etc/apparmor.d/abstractions/freedesktop.org:12
> /etc/apparmor.d/abstractions/base:1
> /etc/apparmor.d/abstractions/aspell:1
> /etc/apparmor.d/abstractions/cups-client:2
> /etc/apparmor.d/abstractions/ubuntu-browsers.d/java:6
> /etc/apparmor.d/abstractions/ubuntu-browsers.d/multimedia:2
> /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:2
> /etc/apparmor.d/abstractions/ubuntu-browsers.d/productivity:1
> 

My guess is that most of the ones without explicit owner match predate
'owner' in apparmor. It would be worthwhile to update the ones where it
makes sense to do so. Eg, this one would for sure not be one we would
want to add owner to:
/etc/apparmor.d/abstractions/web-data:  @{HOME}/public_html/ r,
/etc/apparmor.d/abstractions/web-data:  @{HOME}/public_html/** r,

Also, abstractions/ubuntu-browsers.d/user-files was intentional as well:
  # Allow read to all files user has DAC access to and write access to all
  # files owned by the user in $HOME.
  @{HOME}/ r,
  @{HOME}/** r,
  owner @{HOME}/** w,
  owner @{HOME}/Desktop/** r,

A quick glance at the others indicates they could probably be changed
without issue.

-- 
Jamie Strandboge                 http://www.ubuntu.com/





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20121218/38565518/attachment.pgp>

More information about the AppArmor mailing list