Hello Yesterday, I noticed a strange lack of an abstraction rule in a default Evince profile (provided with 16.04 LTS install) and I would like to ask if it's just an oversight and there should be added one rule: "abstractions/private-files-strict"? Generally, this profile contains sub-profiles with these rules:
✗ /usr/bin/evince { (...) # This is need for saving files in your home directory without # an extension. Changing this to '@{HOME}/** r' makes it require # an extension and more secure (but with 'rw', we still have # abstractions/private-files-strict in effect). owner @{HOME}/** rw, owner /media/** rw, ✗ /usr/bin/evince-previewer { (...) # Lenient, but remember we still have abstractions/private-files- # strict in effect). Write is needed for 'print to file' from # the previewer. @{HOME}/ r, @{HOME}/** rw, ✗ /usr/bin/evince-thumbnailer { (...) # Lenient, but remember we still have abstractions/private-files- # strict in effect). @{HOME}/ r, owner @{HOME}/** rw, owner /media/** rw, } As we can see, there are comments suggesting, that an abstraction rule with "private-files-strict" is in use, but it's not. (At least in the 16.04 LTS default profile.) What do you think about this? Should an abstraction's "private-files-strict" rule be added to the Evince profile and all sub-profiles? Thanks, best regards. . .
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor