[apparmor] [patch] dconf locations

intrigeri intrigeri+debian at boum.org
Sun Jun 9 18:25:23 UTC 2013


on my Debian sid (running systemd, in case it matters), I see some
GNOME applications start to put stuff in /run/user/$USER/ (e.g.
evince wanted rwc access to /run/user/intrigeri/dconf/user), and read
from ~/.config/dconf/user. Neither of these is allowed by the upstream
AppArmor profiles.

The following patch fixes this for me:

diff --git a/apparmor.d/abstractions/gnome b/apparmor.d/abstractions/gnome
index f83c3c5..49dd870 100644
--- a/apparmor.d/abstractions/gnome
+++ b/apparmor.d/abstractions/gnome
@@ -84,3 +84,7 @@
   # mime-types
   /etc/gnome/defaults.list r,
   /usr/share/gnome/applications/mimeinfo.cache r,
+  # dconf locations
+  owner /run/user/*/dconf/user rw,
+  owner @{HOME}/.config/dconf/user r,

I've seen Ubuntu added similar settings in usr.bin.chromium-browser
and abstractions/ubuntu-browsers.d/ubuntu-integration, so perhaps now
would be a good time to factorize this stuff a bit :)

I did not bother using /{,var/}run, since I guess any system recent
enough to run dconf probably has moved to /run already, but feel free
to fix this or to ask me to resubmit if you think differently.

To end with, it's my first patch submission here IIRC, so feel free to
tell me how I can do better next time.

  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

More information about the AppArmor mailing list