[apparmor] Bug#845005: AppArmor profile denies paths for gtk2-engines-bixbuf and themes

Sun Nov 20 13:00:00 UTC 2016

Christian Boltz:
> Hello,
> 
> Am Samstag, 19. November 2016, 12:43:00 CET schrieb u:
>> anonym:
>>> As a KDE user I want Icedove to look like a native application
>>> despite it using GTK, which can be achieved with the
>>> gtk2-engines-pixbuf package and some gtk*-engines-* package (e.g.
>>> gtk3-engines-breeze). However, the current Icedove AppArmor profile
>>> blocks the paths used by these packages.
>> Looks good.
>>
>>> The attached patch fixes the profile for me. A proper solution for
>>> AppArmor upstream might be to add the new lines to the appropriate
>>> abstraction file (perhaps abstractions/gnome?).
>>
>> I've put the upstream list and the original author of the profile in
>> Cc:. @Upstream, what do you think?
> 
> Looks good, and it would indeed be a candidate for abstractions/gnome. 
> 
> Some notes and questions:
> 
> +  /usr/lib/@{multiarch}/gtk-*/*/engines/libpixmap.so* mr,
> 
> does not match the openSUSE patchs. Therefore I propose to also add
> 
>     /usr/lib*/gtk-*/*/engines/libpixmap.so* mr,
> 
> to make this a cross-distro compatible change ;-)

Great!

> Looking at the gnome abstraction again, I see
> 
>   /usr/lib{,32,64}/gtk/**         mr,
>   /usr/lib/@{multiarch}/gtk/**    mr,
> 
> Both directories don't exist on my openSUSE system. Instead there is
> /usr/lib64/gtk-2.0/ and /usr/lib64/gtk-3.0/. Maybe we should update 
> these rules to match the versioned paths (and, as a side effect, include 
> libpixmap.so)? That would mean to add
> 
>   /usr/lib{,32,64}/gtk-[0-9]*/**         mr,
>   /usr/lib/@{multiarch}/gtk-[0-9]*/**    mr,
> 
> 
> Does /usr/lib{,32,64}/gtk/ and/or /usr/lib/@{multiarch}/gtk/  still 
> exist on Debian?

At least on my system, I have

  /usr/lib/x86_64-linux-gnu/gtk-2.0
  /usr/lib/x86_64-linux-gnu/gtk-3.0

and nothings else, so your suggseted change looks good to me.

> (bzr blame says these lines of the gnome abstractions were last touched 
> in 2011, so things might have changed since then ;-)

Indeed! :)

> +  /usr/share/themes/** r,
> 
> This is already included in abstractions/gnome, so I wonder why you 
> needed to add it.

Sorry! It is not needed (and the explanation for why I included it by
mistake is just to boring to share here).

So, in the end, your suggested update to abstractions/gnome (the gtk
path) seems like the only thing needed, and indeed better than my patch.

Cheers!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161120/45121a01/attachment-0001.pgp>