From b4e5837bb9c84a68bbfdc8f6781d8b2dc86a894a Mon Sep 17 00:00:00 2001
From: Jose Maldonado <63384398+yukiteruamano@users.noreply.github.com>
Date: Sun, 28 Apr 2024 06:27:39 -0400
Subject: [PATCH] Fix access to /tmp using libpam-tmpdir in Debian (#318)

In Debian with the use of libpam-tmpdir, the paths for $TMP and $TMPDIR
for PAM sessions are affected by much stronger rules and permissions,
providing additional security to the environment.

Those rules for the directory

/tmp/user/@{uid}/<affected_program>

In the case of qBitorrent this applies to the following directory:

/tmp/user/@{uid}/.qBitorrent

This PR fixes the bug and allows qBittorrent to work correctly
under these conditions.

Note: This PR would also have positive effects on Whonix, which uses
libpam-tmpdir according to this link
(https://forums.whonix.org/t/make-symlink-attacks-and-other-tmp-based-attacks-harder-or-impossible-using-libpam-tmpdir/8488)
---
 apparmor.d/profiles-m-r/qbittorrent | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent
index ff7d4bd8..f8160340 100644
--- a/apparmor.d/profiles-m-r/qbittorrent
+++ b/apparmor.d/profiles-m-r/qbittorrent
@@ -108,6 +108,8 @@ profile qbittorrent @{exec_path} {
   owner /tmp/qtsingleapp-qBitto-* rw,
   owner /tmp/qtsingleapp-qBitto-*-lockfile rwk,
   owner /tmp/tmp* rw,
+  owner /tmp/user/@{uid}/.qBittorrent/ rw,
+  owner /tmp/user/@{uid}/.qBittorrent/** rw,
 
   owner @{PROC}/@{pids}/cmdline r,
   owner @{PROC}/@{pids}/comm r,