[apparmor] [profile] Firefox v58: '/.cache/fontconfig/', '/etc/ld.so.conf' and DENIED log entries.

[daniel curtis]

Hello.

On Wed. Jan 31, I've created a thread about some issues with AppArmor
"DENIED" log entries after Firefox update to the v58 (please see: 1.)
Everything worked okay, even without adding a proper rules to the
profile, but I've decided to add something like this:

✗ apparmor="DENIED" operation="open"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/etc/ld.so.conf"
comm="firefox" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

/etc/ld.so.conf r,
/etc/ld.so.conf.d/ r,
/etc/ld.so.conf.d/* r,

✗ apparmor="DENIED" operation="mknod"
profile="/usr/lib/firefox/firefox{,*[^s][^h]}"
name="/home/tester/.cache/fontconfig/*.cache-6.TMP-JUtX5a"
comm=23676110276F4G74356D71 requested_mask="c" denied_mask="c"
fsuid=1000 ouid=1000

deny @{HOME}/.cache/fontconfig/ r,
deny @{HOME}/.cache/fontconfig/* rwk,

For now, I've decided to deny this request and Firefox works without
any problmes etc. However, I would like to ask if I should change
above rules to:

owner @{HOME}/.cache/fontconfig/ rwk,
owner @{HOME}/.cache/fontconfig/** rwk,

NOTE: if it's about first rule above, "rwk" is not needed, right? Can
I change it to "r"? I'm asking, because it's a folder and second rule
is related to everything inside it. What do you think? So, I have two
questions:

✓ '/etc/ld.so.conf' rules are okay? Does Firefox really needs them?
✓ '/.cache/fontconfig/' access should be denied or allowed with an
"owner" prefix?

As I already wrote: Firefox worked okay even without above rules, but
maybe something important was added with update to the v58. version
and that's the reason for a new "DENIED" entries?

Thanks, best regards.
__________________
1. https://lists.ubuntu.com/archives/apparmor/2018-January/011454.html