[apparmor] [RFC] handling XDG user directories
Jamie Strandboge
jamie at canonical.com
Mon Aug 5 22:59:14 UTC 2013
= Background =
The xdg-user-dirs specification[1] allows for translatable and movable common
directories. While this may be beneficial for users who for example want to have
~/Pictures translated into their own language, this flexibility provides
challenges for AppArmor. Untranslated xdg user directories are typically (see
~/.config/user-dirs.dirs):
XDG_DESKTOP_DIR="$HOME/Desktop"
XDG_DOWNLOAD_DIR="$HOME/Downloads"
XDG_TEMPLATES_DIR="$HOME/Templates"
XDG_PUBLICSHARE_DIR="$HOME/Public"
XDG_DOCUMENTS_DIR="$HOME/Documents"
XDG_MUSIC_DIR="$HOME/Music"
XDG_PICTURES_DIR="$HOME/Pictures"
XDG_VIDEOS_DIR="$HOME/Videos"
On an Ubuntu system with the fr_CA locale installed, these become:
XDG_DESKTOP_DIR="$HOME/Desktop"
XDG_DOWNLOAD_DIR="$HOME/Téléchargements"
XDG_TEMPLATES_DIR="$HOME/Templates"
XDG_PUBLICSHARE_DIR="$HOME/Public"
XDG_DOCUMENTS_DIR="$HOME/Documents"
XDG_MUSIC_DIR="$HOME/Musique"
XDG_PICTURES_DIR="$HOME/Images"
XDG_VIDEOS_DIR="$HOME/Vidéos"
While the kernel and AppArmor parser handle these translations fine, the
profiles do not. I think we can do better and make this a bit easier for
distributions.
= Proposal =
As an upstream, we can vastly improve the situation by simply creating the
xdg-dirs tunable using the default 'C' xdg-user-dirs values:
$ cat /etc/apparmor.d/tunables/xdg-dirs
@{XDG_DESKTOP_DIR}=Desktop
@{XDG_DOWNLOAD_DIR}=Downloads
@{XDG_TEMPLATES_DIR}=Templates
@{XDG_PUBLICSHARE_DIR}=Public
@{XDG_DOCUMENTS_DIR}=Documents
@{XDG_MUSIC_DIR}=Music
@{XDG_PICTURES_DIR}=Pictures
@{XDG_VIDEOS_DIR}=Videos
# Also, include files in tunables/home.d for site-specific adjustments to
# the various XDG directories
#include <tunables/xdg-dirs.d>
and then create the /etc/apparmor.d/tunables/xdg-dirs.d directory. With that
alone, we can start using rules like this in our upstream policy:
owner @{HOME}/@{XDG_MUSIC_DIR}/** r,
and users/admins can adjust /etc/apparmor.d/tunables/xdg-dirs or drop files into
/etc/apparmor.d/tunables/xdg-dirs.d, providing a welcome convenience[2].
This of course doesn't solve everything. Because users can modify their
~/.config/user-dirs.dirs file at will and have it point anywhere, so we can't
examine those files and do anything automatic there (when we have user policy we
can revisit this). This proposal handles translations well though and use of
translations for these directories happens outside of the user's control. Users
who modify ~/.config/user-dirs.dirs can update policy like they need to now.
I have written two tools that we may want to optionally ship[3]:
* apparmor-xdg-dirs-simple.py: this takes a locale as an argument and outputs
to stdout something suitable for dropping into /etc/apparmor.d/xdg-dirs.d.
Eg:
$ ./apparmor-xdg-dirs-simple.py zh_HK
@{XDG_DESKTOP_DIR}+="Desktop"
@{XDG_DOWNLOAD_DIR}+="下載"
@{XDG_TEMPLATES_DIR}+="Templates"
@{XDG_PUBLICSHARE_DIR}+="Public"
@{XDG_DOCUMENTS_DIR}+="文件"
@{XDG_MUSIC_DIR}+="音樂"
@{XDG_PICTURES_DIR}+="圖片"
@{XDG_VIDEOS_DIR}+="影片"
A very simplistic usage could be:
# ./apparmor-xdg-dirs-simple.py zh_HK > /etc/apparmor.d/xdg-dirs.d/zh_HK
* apparmor-xdg-dirs.py: this takes the output of 'locale -a' and outputs to
stdout something suitable for dropping into /etc/apparmor.d/xdg-dirs.d as
well, but tries to be a little smarter and only outputs unique translations,
skipping the 'C' locale (since the C locale dirs are presumed to already be
in /etc/apparmor.d/tunables/xdg-dirs). Eg, on an Ubuntu 13.10 system with
the en, fr and zn locales installed:
$ ./apparmor-xdg-dirs.py
# This file contains translations for XDG directories based on
# the installed locales from the local system. To regenerate,
# redirect the output of 'apparmor-xdg-dirs' to this file.
@{XDG_DOWNLOAD_DIR}+="Téléchargements"
@{XDG_DOWNLOAD_DIR}+="下載"
@{XDG_DOCUMENTS_DIR}+="文件"
@{XDG_MUSIC_DIR}+="Musique"
@{XDG_MUSIC_DIR}+="音樂"
@{XDG_PICTURES_DIR}+="Images"
@{XDG_PICTURES_DIR}+="圖片"
@{XDG_VIDEOS_DIR}+="Vidéos"
@{XDG_VIDEOS_DIR}+="影片"
A possible usage in a distribution might be:
# ./apparmor-xdg-dirs.py > /etc/apparmor.d/xdg-dirs.d/system
I was quite happy in testing when I saw that the kernel and parser (both v3)
handled these utf-8 strings just fine such that with this rule:
owner @{HOME}/@{XDG_MUSIC_DIR}/** r,
I was able to write to:
~/Musique/testme
~/音樂/testme
~/Music/testme
but not to, for example:
~/圖片/testme
Logging worked well too:
Aug 5 15:09:05 sec-saucy-amd64 kernel: [ 7115.061670] type=1400
audit(1375733345.046:74): apparmor="DENIED" operation="mknod" parent=10586
profile="test-xdg" name=2F686F6D652F6A616D69652FE59C96E789872F746573746D65
pid=16114 comm="touch" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
$ aa-decode 2F686F6D652F6A616D69652FE59C96E789872F746573746D65
Decoded: /home/jamie/圖片/testme
I did not test other tools (aa-logprof, etc) for these utf-8 strings, but any
problems there would be just bugs (and my proposal doesn't actually add utf-8
strings).
What do people think? Maybe this would be a good topic for this month's meeting.
Thanks!
PS - note that this (intentionally) doesn't cover the XDG base-dir
specification, though we could solve it in the same manner. Create an
/etc/apaprmor.d/tunables/xdg-basedir tunable with standard values, then create
the /etc/apparmor.d/tunables/xdg-basedir.d directory that people can use if they
want. I don't think we would provide any more tools beyond to avoid crossing an
privilege boundaries and mucking around in $HOME.
[1] http://freedesktop.org/wiki/Software/xdg-user-dirs/
[2] Note, I initially tried to do this:
$ cat /etc/apparmor.d/tunables/xdg-dirs
@{XDG_DESKTOP_DIR}=@{HOME}/Desktop
but this didn't work. The parser liked it just fine, but the '@{HOME}'
wasn't expanded. I don't think this is a problem and think I prefer
the current proposal, but mention it for completeness.
[3] lp:~jdstrand/+junk/apparmor-xdg
[4]http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20130805/91af67dd/attachment.pgp>
More information about the AppArmor
mailing list