Merge profiles: add lock file permission to snap browsers

mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 16:35:02 +01:00

When opening snap browsers with evince using the snap_browsers
abstraction, we get the following AppArmor denials which prevent the
browsers from opening

audit: type=1400 audit(1685996894.479:225): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=13282 comm="snap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

audit: type=1400 audit(1685997517.142:259): apparmor="DENIED" operation="file_lock" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=14200 comm="snap" requested_mask="k" denied_mask="k" fsuid=1000 ouid=0

This MR should be cherry-picked into 2.13, 3.0, 3.1

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1045
Approved-by: Christian Boltz <apparmor@cboltz.de>
Merged-by: Georgia Garcia <georgia.garcia@canonical.com>


(cherry picked from commit a00ece5b6e)

daec4bc8 profiles: add lock file permission to snap browsers

This commit is contained in:

Georgia Garcia

2023-06-06 11:14:43 +00:00

parent 2b980348a6

commit 72c3aa5378

1 changed files with 1 additions and 0 deletions

1

profiles/apparmor.d/abstractions/snap_browsers

View file

 @ -38,5 +38,6 @@ profile snap_browsers {
   /snap/opera/[0-9]*/meta/{snap.yaml,hooks/} r,
   /var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
   /var/lib/snapd/inhibit/{chromium,firefox,opera}.lock rk,
   # add other browsers here
 }

Rows
Columns

Merge profiles: add lock file permission to snap browsers

1 profiles/apparmor.d/abstractions/snap_browsers Unescape Escape View file

1

profiles/apparmor.d/abstractions/snap_browsers

View file