On 2017-12-03 19:00, Carsten Schoenert wrote:
_The question is_, will you agree to ship empty file
`/etc/apparmor.d/local/tunables/usr.bin.thunderbird`? We do not have
"#include_if_exists" or similar mechanism in AppArmor parser to avoid that
yet.
I'm not against to ship such a empty file.
OTHOH I have not deep knowledge how AppArmor is working internaly, but
in the longterm we would need some mechanism that allows users to config
the needed behaviour inside their Home.
John was talking about "policy namespaces" on #apparmor:
```
[2017 m. november 29 d., wednesday] [21:32:18 EET] <jjohansen> Or a user could have a firefox profile, and could edit it
and load it without being a sysadmin
[2017 m. november 29 d., wednesday] [21:33:20 EET] <jjohansen> the sysadmin could specify a separate firefox profile if
so desired or they may decide to just have a role type profile on the user and let the user worry about differentiating
their own applications
[2017 m. november 29 d., wednesday] [21:33:30 EET] <jjohansen> it opens up a
lot of possibilities
```
Not sure when this feature will come up though.
Couldn't be something added like this?
#include_if_exists <@HOME/.config/apparmor/usr.bin.*>
As long as apparmor stuff is placed in /etc/apparmor the user needs
admin rights to chnage or add something. That's mostly no problem if the
user is a typical SOHO user but quite impossible if using a Linux system
on a university or company e.g.
If the above is possible we could prepare some example stuff in
/u/s/d/thunderbird that user can simply copy and change to their needs.
If we had only that `#include_if_exists` (and we don't), this example would include rules from all users (that has it
defined) in the system into one global policy applied to all users, so not sure if that's OK. Also, reloading policy
after applied changes would still need root permissions too. So, we need that policy-per-user, a.k.a "policy namespaces"
as JJ talked about, _if_ I understood that correctly.
I have attached WIP patch that I will propose to AppArmor pull request myself,
but only if you agree with this plan.
We can add that change of course as we need to start somethere. For
52.5.0 it's to late now. But I can upload a further version with more
apparmor related changes in the next weeks.
Well, if we are bound to wait for "policy namespaces", my patch probably (not sure how variable would be handled in that
way) becomes redundant. If we wait for #include_if_exists, empty file is unneeded.
Most realistic approach (IMHO) would still be with an empty file and a new @{thunderbird_user_dirs} variable as in the
patch, so that affected users of this bug report could extend Thunderbird policy without modifying main profile (which
would get overwritten after update), and with writing only one line into
/etc/apparmor.d/local/tunables/usr.local.bin.thunderbird. Only because timeline is within the weeks, not.. well, I do
not know how long :-) .
