[apparmor] [profile] Firefox v58: '/.cache/fontconfig/', '/etc/ld.so.conf' and DENIED log entries.

Wed Jan 31 16:16:39 UTC 2018

Hello Mr Simon

You have written about questioning myself about AppArmor denials and what
it's meaning for me and application etc. And I agree with you completely.
I've always trying to answer to these questions, when a new DENIED entries
appears in the logs. But that's not important here.

You have mentioned: "Probably yes." when it comes to a web browser, that
renders fonts etc.

>> Is it OK that a web browser that renders fonts can write to
>> the fontconfig cache? (Probably yes.)

Good question. But honestly, "Probably yes" is not sufficient answer for
me. I expected, for example: yes or no. Add a rule or not. So, can you
answer more precisely for me? (Of course your answer is okay, but I'm
confused). What I mean is: should I definitely add these rules?

✓ owner @{HOME}/.cache/fontconfig/ r,
✓ owner @{HOME}/.cache/fontconfig/* rw,

Or maybe just one rule is needed, because of a requested and denied mask
value, which is "c" (see first message and logs)? If it's a good idea, then
I should add something like:

✓ owner @{HOME}/.cache/fontconfig/ w,

Is it sufficient rule? What do you think? Next one: '/etc/ld.so.conf'.
Here, you have wrote also a question about web browser, that load libraries
and read the cache and so on. And the answer was: "Almost certainly yes."

>> Is it OK that a web browser that loads libraries reads
>> the cache that tells it what libraries are available?

But I have some doubts. Sorry. "Almost certainly yes" does not sound like
e.g.: "yes, you should definitely add a rule for /etc/ld.so.conf" etc.

I'm sorry. I do understand your point of view and I agree with you, but in
this case I need a "simple" answer: yes, no. Yes, all this thread is so
stupid and my questions are naive.

So, what should I do, taking into account all the facts mentioned in my
first message, e.g. about Firefox working okay even with these DENIED log
entries etc.? On the other side, there are your very good answers, when
you're suggesting adding these rules. That's is the main reason for lack of
an idea, on what should I do.

OK: so, if according to Mr Simon answers, I should add these rules, I would
like to ask if they can looks this way:

✓ owner @{HOME}/.cache/fontconfig/ w,
✓ /etc/ld.so.conf r,

By the way: thank you Mr Simon for an informations about not using an
"owner" prefix for '/etc/ld.so.conf'. (I mean your answer: "/etc: no, root
owns files in /etc, so don't use an owner prefix." etc.)

There is one more thing: if Firefox is working normally, then maybe just
silent these log entries and use deny? What do you think? But that's just
an idea.

Once again: I'm sorry for my naive questions. I know, that you're probably
sick of my Firefox and AppArmor "issues". Sorry.

Thanks, best regards.
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20180131/9bc6f221/attachment.html>