[apparmor] Fwd: Re: owner usage for @{HOME} rules

Simon Deziel simon.deziel at gmail.com
Tue Dec 18 22:54:07 UTC 2012 

On 12-12-18 05:39 PM, Jamie Strandboge wrote:
> 
> Sigh, forgot to reply all...
> 
> -------- Original Message --------
> Subject: Re: [apparmor] owner usage for @{HOME} rules
> Date: Tue, 18 Dec 2012 16:38:41 -0600
> From: Jamie Strandboge <jamie at canonical.com>
> To: Simon Deziel <simon.deziel at gmail.com>
> 
> On 12/18/2012 04:26 PM, Simon Deziel wrote:
>> Hi all,
>>
>> I am wondering why some of the profile abstractions are not using the
>> owner prefix with the variable @{HOME} while many others do (and some
>> mix both)?
>>
>> Some stats from my Ubuntu 12.04 box:
>>
>> $ grep -crE '^[[:space:]]*@{HOME}' /etc/apparmor.d/abstractions/ | grep
>> -v :0$
>> /etc/apparmor.d/abstractions/kde:7
>> /etc/apparmor.d/abstractions/X:2
>> /etc/apparmor.d/abstractions/audio:3
>> /etc/apparmor.d/abstractions/libvirt-qemu:1
>> /etc/apparmor.d/abstractions/gnupg:6
>> /etc/apparmor.d/abstractions/fonts:8
>> /etc/apparmor.d/abstractions/gnome:12
>> /etc/apparmor.d/abstractions/bash:4
>> /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:2
>> /etc/apparmor.d/abstractions/web-data:2
>>
>> $ grep -crE '^[[:space:]]*owner[[:space:]]*@{HOME}'
>> /etc/apparmor.d/abstractions/ | grep -v :0$
>> /etc/apparmor.d/abstractions/X:1
>> /etc/apparmor.d/abstractions/audio:4
>> /etc/apparmor.d/abstractions/user-tmp:2
>> /etc/apparmor.d/abstractions/user-write:9
>> /etc/apparmor.d/abstractions/user-download:6
>> /etc/apparmor.d/abstractions/user-mail:9
>> /etc/apparmor.d/abstractions/enchant:2
>> /etc/apparmor.d/abstractions/ibus:3
>> /etc/apparmor.d/abstractions/ubuntu-media-players:2
>> /etc/apparmor.d/abstractions/xdg-desktop:4
>> /etc/apparmor.d/abstractions/user-manpages:3
>> /etc/apparmor.d/abstractions/freedesktop.org:12
>> /etc/apparmor.d/abstractions/base:1
>> /etc/apparmor.d/abstractions/aspell:1
>> /etc/apparmor.d/abstractions/cups-client:2
>> /etc/apparmor.d/abstractions/ubuntu-browsers.d/java:6
>> /etc/apparmor.d/abstractions/ubuntu-browsers.d/multimedia:2
>> /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:2
>> /etc/apparmor.d/abstractions/ubuntu-browsers.d/productivity:1
>>
> 
> My guess is that most of the ones without explicit owner match predate
> 'owner' in apparmor.

Ah, that makes sense.

> It would be worthwhile to update the ones where it
> makes sense to do so. Eg, this one would for sure not be one we would
> want to add owner to:
> /etc/apparmor.d/abstractions/web-data:  @{HOME}/public_html/ r,
> /etc/apparmor.d/abstractions/web-data:  @{HOME}/public_html/** r,

Yes, indeed.

> Also, abstractions/ubuntu-browsers.d/user-files was intentional as well:
>   # Allow read to all files user has DAC access to and write access to all
>   # files owned by the user in $HOME.
>   @{HOME}/ r,
>   @{HOME}/** r,
>   owner @{HOME}/** w,
>   owner @{HOME}/Desktop/** r,

The rule "owner @{HOME}/Desktop/** r," is superfluous isn't it?

> A quick glance at the others indicates they could probably be changed
> without issue.

OK, so I'll try to send a patch here. Thanks!

Simon

More information about the AppArmor mailing list