On 12-12-18 05:39 PM, Jamie Strandboge wrote: > > Sigh, forgot to reply all... > > -------- Original Message -------- > Subject: Re: [apparmor] owner usage for @{HOME} rules > Date: Tue, 18 Dec 2012 16:38:41 -0600 > From: Jamie Strandboge <ja...@canonical.com> > To: Simon Deziel <simon.dez...@gmail.com> > > On 12/18/2012 04:26 PM, Simon Deziel wrote: >> Hi all, >> >> I am wondering why some of the profile abstractions are not using the >> owner prefix with the variable @{HOME} while many others do (and some >> mix both)? >> >> Some stats from my Ubuntu 12.04 box: >> >> $ grep -crE '^[[:space:]]*@{HOME}' /etc/apparmor.d/abstractions/ | grep >> -v :0$ >> /etc/apparmor.d/abstractions/kde:7 >> /etc/apparmor.d/abstractions/X:2 >> /etc/apparmor.d/abstractions/audio:3 >> /etc/apparmor.d/abstractions/libvirt-qemu:1 >> /etc/apparmor.d/abstractions/gnupg:6 >> /etc/apparmor.d/abstractions/fonts:8 >> /etc/apparmor.d/abstractions/gnome:12 >> /etc/apparmor.d/abstractions/bash:4 >> /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:2 >> /etc/apparmor.d/abstractions/web-data:2 >> >> $ grep -crE '^[[:space:]]*owner[[:space:]]*@{HOME}' >> /etc/apparmor.d/abstractions/ | grep -v :0$ >> /etc/apparmor.d/abstractions/X:1 >> /etc/apparmor.d/abstractions/audio:4 >> /etc/apparmor.d/abstractions/user-tmp:2 >> /etc/apparmor.d/abstractions/user-write:9 >> /etc/apparmor.d/abstractions/user-download:6 >> /etc/apparmor.d/abstractions/user-mail:9 >> /etc/apparmor.d/abstractions/enchant:2 >> /etc/apparmor.d/abstractions/ibus:3 >> /etc/apparmor.d/abstractions/ubuntu-media-players:2 >> /etc/apparmor.d/abstractions/xdg-desktop:4 >> /etc/apparmor.d/abstractions/user-manpages:3 >> /etc/apparmor.d/abstractions/freedesktop.org:12 >> /etc/apparmor.d/abstractions/base:1 >> /etc/apparmor.d/abstractions/aspell:1 >> /etc/apparmor.d/abstractions/cups-client:2 >> /etc/apparmor.d/abstractions/ubuntu-browsers.d/java:6 >> /etc/apparmor.d/abstractions/ubuntu-browsers.d/multimedia:2 >> /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:2 >> /etc/apparmor.d/abstractions/ubuntu-browsers.d/productivity:1 >> > > My guess is that most of the ones without explicit owner match predate > 'owner' in apparmor.
Ah, that makes sense. > It would be worthwhile to update the ones where it > makes sense to do so. Eg, this one would for sure not be one we would > want to add owner to: > /etc/apparmor.d/abstractions/web-data: @{HOME}/public_html/ r, > /etc/apparmor.d/abstractions/web-data: @{HOME}/public_html/** r, Yes, indeed. > Also, abstractions/ubuntu-browsers.d/user-files was intentional as well: > # Allow read to all files user has DAC access to and write access to all > # files owned by the user in $HOME. > @{HOME}/ r, > @{HOME}/** r, > owner @{HOME}/** w, > owner @{HOME}/Desktop/** r, The rule "owner @{HOME}/Desktop/** r," is superfluous isn't it? > A quick glance at the others indicates they could probably be changed > without issue. OK, so I'll try to send a patch here. Thanks! Simon -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor