From 085d4cd0e245195ed52c5920bcb5ce1d39b039a2 Mon Sep 17 00:00:00 2001
From: Christian Boltz <apparmor@cboltz.de>
Date: Mon, 16 Nov 2020 20:42:00 +0100
Subject: [PATCH] abstractions/X: Allow (only) reading X compose cache

... (/var/cache/libx11/compose/*), and deny any write attempts

Reported by darix,
https://git.nordisch.org/darix/apparmor-profiles-nordisch/-/blob/master/apparmor.d/teams

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/685
(cherry picked from commit 78bd811e2a23f55974991cd208f6a17749655c21)
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
 profiles/apparmor.d/abstractions/X | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/profiles/apparmor.d/abstractions/X b/profiles/apparmor.d/abstractions/X
index ced3c6ba9..7c48ac039 100644
--- a/profiles/apparmor.d/abstractions/X
+++ b/profiles/apparmor.d/abstractions/X
@@ -55,6 +55,8 @@
 
   # Xcompose
   owner @{HOME}/.XCompose         r,
+  /var/cache/libx11/compose/*     r,
+  deny /var/cache/libx11/compose/* wlk,
 
   # mouse themes
   /etc/X11/cursors/               r,