[apparmor] wayland paths
John Johansen
john.johansen at canonical.com
Thu Dec 1 00:03:30 UTC 2016
On 11/30/2016 03:21 PM, Seth Arnold wrote:
> On Wed, Nov 30, 2016 at 03:11:53PM -0800, Steve Beattie wrote:
>>> owner /{,var/}run/user/*/weston-shared-* rw,
>
>> Can we kill the first rule? Or at least only have the /var/ path, since
>> the non-var path is covered by the last rule?
>
> I like the "only the /var/ path" option; that's what I went with.
>
> (I suspect we're just about to the point that we could remove all
> the /var/run/ paths and alternations from our trunk profiles, but I'd
> really hate to find out that I'm wrong by breaking a user's system on
> an upgrade.)
>
which begs the question why didn't we use a variable or an alias rule.
The variable is a bit ugly but easy to tweak and obvious.
The alias is convenient and will work for this straight substitutions
but is totally non obvious/visible to the user. However if we are
at the point where removing /var/run/ is viable for most users, then
getting rid of /var/run alternations completely is the way to go.
And for users who really need it we can add a commented out an alias
rule in abstractions/base and tell users to uncomment that
More information about the AppArmor
mailing list