Merge branch 'qt-settings-write' into 'master'

Add qt5 writing abstractions Qt-based applications stores QFileDialog (latest browsed directory) and other shared user settings inside ~/.config/QtProject.conf. Currently available qt abstraction only allows to read it (by design), so this patch introduces abstraction that grants permissions for writing. Relevant denies discovered with KDE Dragon Player: /var/log/audit/audit.log.1:type=AVC msg=audit(1533485161.999:981): apparmor="DENIED" operation="mknod" profile="/usr/bin/dragon" name="/home/vincas/.config/QtProject.conf.lock" pid=29911 comm="dragon" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000 type=AVC msg=audit(1533486419.266:1141): apparmor="DENIED" operation="file_lock" profile="/usr/bin/dragon" name="/home/vincas/.config/QtProject.conf.lock" pid=30406 comm="dragon" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000 /var/log/audit/audit.log.1:type=AVC msg=audit(1533485206.575:1006): apparmor="DENIED" operation="link" profile="/usr/bin/dragon" name="/home/vincas/.config/QtProject.conf.Gflpds" pid=29946 comm="dragon" requested_mask="l" denied_mask="l" fsuid=1000 ouid=1000 target="/home/vincas/.config/#12982163" In addition, added new qt-compose-cache-write abstraction as some applications wants to write compose cache. qt5 abstraction is appended with read-only rule (that's enough for LibreOffice using KDE file dialog). See merge request apparmor/apparmor!159 Acked-by: John Johansen <john.johansen@canonical.com>
2025-03-05 17:01:00 +01:00 · 2018-09-18 10:03:08 +00:00 · 2018-09-18 10:03:08 +00:00 · 20de92c5d6
commit 20de92c5d6
parent 50658a9409 67816c42cf
3 changed files with 19 additions and 0 deletions
--- a/profiles/apparmor.d/abstractions/qt5
+++ b/profiles/apparmor.d/abstractions/qt5
@ -17,4 +17,5 @@
  # User files

  owner @{HOME}/.config/QtProject.conf r, # common settings for QFileDialog, etc (application might need write access)
+  owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* r, # for "platforminputcontexts" plugins

--- a/profiles/apparmor.d/abstractions/qt5-compose-cache-write
+++ b/profiles/apparmor.d/abstractions/qt5-compose-cache-write
@ -0,0 +1,7 @@
+# vim:syntax=apparmor
+# Allow writing cache for Qt5 "platforminputcontexts" plugins
+
+  # User files
+
+  owner @{HOME}/.cache/qt_compose_cache_{little,big}_endian_* rw,
+
--- a/profiles/apparmor.d/abstractions/qt5-settings-write
+++ b/profiles/apparmor.d/abstractions/qt5-settings-write
@ -0,0 +1,11 @@
+# vim:syntax=apparmor
+# Allow writing shared settings for Qt-based applications
+
+  # User files
+
+  owner @{HOME}/.config/#[0-9]* rw,
+  owner @{HOME}/.config/QtProject.conf rw,
+  owner @{HOME}/.config/QtProject.conf.?????? l -> @{HOME}/.config/#[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],
+  owner @{HOME}/.config/QtProject.conf.?????? rw, # for temporary files like QtProject.conf.Aqrgeb
+  owner @{HOME}/.config/QtProject.conf.lock rwk,
+