Hello
Yesterday, I noticed a strange lack of an abstraction rule in a default
Evince profile (provided with 16.04 LTS install) and I would like to ask if
it's just an oversight and there should be added one rule:
"abstractions/private-files-strict"? Generally, this profile contains
sub-profiles with these rules:
✗ /usr/bin/evince {
(...)
# This is need for saving files in your home directory without
# an extension. Changing this to '@{HOME}/** r' makes it require
# an extension and more secure (but with 'rw', we still have
# abstractions/private-files-strict in effect).
owner @{HOME}/** rw,
owner /media/** rw,
✗ /usr/bin/evince-previewer {
(...)
# Lenient, but remember we still have abstractions/private-files-
# strict in effect). Write is needed for 'print to file' from
# the previewer.
@{HOME}/ r,
@{HOME}/** rw,
✗ /usr/bin/evince-thumbnailer {
(...)
# Lenient, but remember we still have abstractions/private-files-
# strict in effect).
@{HOME}/ r,
owner @{HOME}/** rw,
owner /media/** rw,
}
As we can see, there are comments suggesting, that an abstraction rule with
"private-files-strict" is in use, but it's not. (At least in the 16.04 LTS
default profile.) What do you think about this? Should an abstraction's
"private-files-strict" rule be added to the Evince profile and all
sub-profiles?
Thanks, best regards.
.
.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
