[apparmor] (no subject)
intrigeri at debian.org
intrigeri at debian.org
Thu Jul 11 19:51:59 UTC 2013
Hi,
Jamie Strandboge wrote (10 Jun 2013 13:58:38 GMT) :
> My gut feeling is that dconf
> should be in its own abstraction and only allow 'r' access and
> applications can add 'w' as necessary (or maybe have dconf and
> dconf-write abstractions that applications could use).
OK. Thanks for teaching me.
Attached is a patch that adds a dconf abstraction.
I've been using it successfully e.g. with Evince:
diff --git a/apparmor.d/usr.bin.evince b/apparmor.d/usr.bin.evince
index 2f1811a..e978197 100644
--- a/apparmor.d/usr.bin.evince
+++ b/apparmor.d/usr.bin.evince
@@ -9,6 +9,7 @@
#include <abstractions/bash>
#include <abstractions/cups-client>
#include <abstractions/dbus-session>
+ #include <abstractions/dconf>
#include <abstractions/evince>
#include <abstractions/ibus>
#include <abstractions/nameservice>
@@ -85,6 +86,9 @@
# evince creates a temporary stream file like '.goutputstream-XXXXXX' in the
# directory a file is saved. This allows that behavior.
owner /**/.goutputstream-* w,
+
+ # dconf write access
+ owner /{,var/}run/user/*/dconf/user rwk,
}
/usr/bin/evince-previewer {
Cheers!
More information about the AppArmor
mailing list