[apparmor] Updating the Pidgin profile

Wed Jan 22 14:43:36 UTC 2014

Hi intrigeri,

Sorry for the delayed response.

On 14-01-19 09:25 AM, intrigeri wrote:
> Hi Simon,
> 
> we're getting close to merging our profiles, great!
> See more comments and questions below.
> 
> I'm attaching my current profile. Feel free to have a look :)
> 
> Simon Deziel wrote (17 Jan 2014 19:44:34 GMT) :
>> On 14-01-17 06:38 AM, intrigeri wrote:
> 
>>>>  owner @{HOME}/.{cache,config}/dconf/user rw,
>>>
>>> What is the "cache" part for?
> 
> I believe you have missed this question. Or maybe your following
> answer (about .config/indicators) did cover this one too?

It was in the initial profile from 11.04 but looking at [1] they seem
legitimate. Both are used as shown in this audit extract:

apparmor="AUDIT" operation="open" parent=1 profile="/usr/bin/pidgin"
name="/home/simon/.cache/dconf/user" pid=12834 comm="pidgin"
requested_mask="rwc" fsuid=1000 ouid=1000
apparmor="AUDIT" operation="truncate" parent=1 profile="/usr/bin/pidgin"
name="/home/simon/.cache/dconf/user" pid=12834 comm="pidgin"
requested_mask="w" fsuid=1000 ouid=1000
apparmor="AUDIT" operation="open" parent=1 profile="/usr/bin/pidgin"
name="/home/simon/.config/dconf/user" pid=12834 comm="pidgin"
requested_mask="r" fsuid=1000 ouid=1000
apparmor="AUDIT" operation="getattr" parent=1 profile="/usr/bin/pidgin"
name="/home/simon/.config/dconf/user" pid=12834 comm="pidgin"
requested_mask="r" fsuid=1000 ouid=1000

The truncate is a bit odd though but it occurs even when the file is
empty so maybe that's correct.

>>>>  owner @{HOME}/.config/indicators/ rw,
>>>>  owner @{HOME}/.config/indicators/** rw,
>>>
>>> What's this for? Perhaps it would be better suited for an existing (or
>>> new) abstraction?
> 
>> This one is a real mystery to me. In fact, I even deny some of it in my
>> local include:
> 
>>   # XXX: prevent blacklisting pidgin, needs investigation
>>   audit deny
>> @{HOME}/.config/indicators/messages/applications-blacklist/** w,
> 
>> IIRC from back when I added this, Pidgin would stop showing in mail/IM
>> notification area as it would blacklist itself.
> 
> OK. I guess I won't include it until it's clarified what happens (on
> Ubuntu, I suppose) without these two lines, then.
> 
>>>>  owner /tmp/orcexec.* mr,
>>>>  owner @{HOME}/orcexec.* mr,
>>>
>>> I had this too, but the profile works fine after removing it.
>>> Maybe it's obsolete?
> 
>> That is needed for sound notifications. The "@{HOME}/orcexec.*" is
>> needed when /tmp is mounted noexec.
> 
> OK, added.
> 
>>>>  owner @{PROC}/[0-9]*/auxv r,
>>>
>>> My Pidgin does not seem to need this. Any idea if/why this is
>>> really needed?
> 
>> I need it here.
> 
> Added, then.
> 
>>>>  /usr/bin/gconftool-2 rix,
>>>>  /usr/bin/gnome-default-applications-properties ix,
>>>>  /usr/bin/gnome-network-preferences ix,
>>>
>>> I'm adding P, in case a profile is written for one of those some day.
> 
>> P and i are incompatible as far as I understand.
> 
> The documentation about it is very confusing, but Pix is valid.

Indeed, "Pix" is valid and I added it to g-d-a-p and g-n-p. My test was
using "Prix" for gconftool-2 and the parser didn't accept it.

>>>>  /usr/share/locale-langpack/** rm,
>>>
>>> Isn't the "r" permission granted by abstraction/base enough? I'm not
>>> running Ubuntu, so I'm not using langpack's and cannot test myself.
> 
> Ping?

This locale-langpack rule is gone from my profile and no problem to
report since that.

>>>>  /usr/share/themes/**        r,
>>>
>>> Covered by abstractions/gnome.
> 
>> True. It's weird that "/usr/share/themes/ r," was left out of the
>> abstraction.
> 
> Right. For another day/person, though.
> 
>>> My last question is about the biggest hurdle I have here. How do you
>>> handle the call to gnome-control-center from Preferences -> Browser ->
>>> Configure Browser? I'm a bit reluctant to give Pidgin every credential
>>> that gnome-control-center needs. Would it be a good use of
>>> sanitized_helper (until g-c-c gets its own profile maybe someday)?
> 
>> I don't allow it here so it's a problem I wasn't even aware of.
> 
> I think I'm going to complete a profile that requires running GNOME
> control center and network configuration by hand, to start with, then.
> Done in the attached profile.

That makes sense. I'd probably add a comment in the profile that this is
on purpose. This should prevent users from disabling the profile that
"gets in their way" and use the manual way instead.

Regards,
Simon

1: http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html