On 12/18/2012 02:54 PM, Simon Deziel wrote: > On 12-12-18 05:39 PM, Jamie Strandboge wrote: >> >> Sigh, forgot to reply all... >> >> -------- Original Message -------- >> Subject: Re: [apparmor] owner usage for @{HOME} rules >> Date: Tue, 18 Dec 2012 16:38:41 -0600 >> From: Jamie Strandboge <ja...@canonical.com> >> To: Simon Deziel <simon.dez...@gmail.com> >> >> On 12/18/2012 04:26 PM, Simon Deziel wrote: >>> Hi all, >>> >>> I am wondering why some of the profile abstractions are not using the >>> owner prefix with the variable @{HOME} while many others do (and some >>> mix both)? >>> >>> Some stats from my Ubuntu 12.04 box: >>> >>> $ grep -crE '^[[:space:]]*@{HOME}' /etc/apparmor.d/abstractions/ | grep >>> -v :0$ >>> /etc/apparmor.d/abstractions/kde:7 >>> /etc/apparmor.d/abstractions/X:2 >>> /etc/apparmor.d/abstractions/audio:3 >>> /etc/apparmor.d/abstractions/libvirt-qemu:1 >>> /etc/apparmor.d/abstractions/gnupg:6 >>> /etc/apparmor.d/abstractions/fonts:8 >>> /etc/apparmor.d/abstractions/gnome:12 >>> /etc/apparmor.d/abstractions/bash:4 >>> /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:2 >>> /etc/apparmor.d/abstractions/web-data:2 >>> >>> $ grep -crE '^[[:space:]]*owner[[:space:]]*@{HOME}' >>> /etc/apparmor.d/abstractions/ | grep -v :0$ >>> /etc/apparmor.d/abstractions/X:1 >>> /etc/apparmor.d/abstractions/audio:4 >>> /etc/apparmor.d/abstractions/user-tmp:2 >>> /etc/apparmor.d/abstractions/user-write:9 >>> /etc/apparmor.d/abstractions/user-download:6 >>> /etc/apparmor.d/abstractions/user-mail:9 >>> /etc/apparmor.d/abstractions/enchant:2 >>> /etc/apparmor.d/abstractions/ibus:3 >>> /etc/apparmor.d/abstractions/ubuntu-media-players:2 >>> /etc/apparmor.d/abstractions/xdg-desktop:4 >>> /etc/apparmor.d/abstractions/user-manpages:3 >>> /etc/apparmor.d/abstractions/freedesktop.org:12 >>> /etc/apparmor.d/abstractions/base:1 >>> /etc/apparmor.d/abstractions/aspell:1 >>> /etc/apparmor.d/abstractions/cups-client:2 >>> /etc/apparmor.d/abstractions/ubuntu-browsers.d/java:6 >>> /etc/apparmor.d/abstractions/ubuntu-browsers.d/multimedia:2 >>> /etc/apparmor.d/abstractions/ubuntu-browsers.d/user-files:2 >>> /etc/apparmor.d/abstractions/ubuntu-browsers.d/productivity:1 >>> >> >> My guess is that most of the ones without explicit owner match predate >> 'owner' in apparmor. > > Ah, that makes sense. > >> It would be worthwhile to update the ones where it >> makes sense to do so. Eg, this one would for sure not be one we would >> want to add owner to: >> /etc/apparmor.d/abstractions/web-data: @{HOME}/public_html/ r, >> /etc/apparmor.d/abstractions/web-data: @{HOME}/public_html/** r, > > Yes, indeed. > >> Also, abstractions/ubuntu-browsers.d/user-files was intentional as well: >> # Allow read to all files user has DAC access to and write access to all >> # files owned by the user in $HOME. >> @{HOME}/ r, >> @{HOME}/** r, >> owner @{HOME}/** w, >> owner @{HOME}/Desktop/** r, > > The rule "owner @{HOME}/Desktop/** r," is superfluous isn't it? > yes, it will get subsumed by @{HOME}/** r, and since permissions are accumulated the tighter owner restrictions will be lost.
>> A quick glance at the others indicates they could probably be changed >> without issue. > > OK, so I'll try to send a patch here. Thanks! > > Simon > -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor