[apparmor] [PATCH 1/2] add new xdg-desktop abstraction

Jamie Strandboge jamie at canonical.com
Wed Jan 11 13:02:02 UTC 2012 

On Wed, 2012-01-11 at 13:04 +0100, Steve Beattie wrote:
> On Wed, Jan 11, 2012 at 12:56:23PM +0100, Steve Beattie wrote:
> > On Wed, Jan 11, 2012 at 12:45:36PM +0100, Jamie Strandboge wrote:
> > > A bug[1] was filed in Ubuntu to add the following to the audio
> > > abstraction:
> > > @{HOME}/.config rw,
> > > 
> > > The logic was that in the audio abstraction we have the following:
> > > @{HOME}/.cache/event-sound-cache.* rw,
> > > 
> > > so the logic follows that if this rule is in the abstraction, then
> > > if .config didn't exist, it must be created. While I understand the
> > > reasoning, it didn't feel quite right, so Steve, John and I discussed
> > > this and came up with the idea that we should create an xdg-desktop
> > > abstraction based on the upstream documentation[2]. Attached patch adds
> > > this abstraction.
> > 
> > Acked-By: Steve Beattie <sbeattie at ubuntu.com>
> 
> Actually, poking at this more, we already have
> abstractions/freedesktop.org which also covers access to some of
> the xdg-desktop stuff, though it's almost all read-only access
> (.recently-used.xbel* is the exception). Perhaps we should unify these?
> 
> Or do you think it's valuable to separate out write access to a distinct
> abstraction?

Honestly allowing writes means that a confined application can change
the permissions on the directory, which is not always desired. Is that
worth having a totally separate abstraction? Maybe?

On the one hand, if we could add this to the freedesktop.org abstraction
and then if a profiler doesn't want the 'w', she can opt out of using
the freedesktop.org abstraction. On the other hand, updating the
freedesktop.org abstraction adds a wider permission set ('w') for
existing policy, which I'm not super comfortable with because these
directories aren't application specific.

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120111/364654af/attachment.pgp>

More information about the AppArmor mailing list