Subject: profiles - owner usage for @{HOME} rules

From: Simon Deziel <simon.deziel@gmail.com> A fair number of the rules that apply to files in @{HOME} predate the existence of the 'owner' qualifier. This patch adds the 'owner' qualifier in several places. Acked-by: Steve Beattie <sbeattie@ubuntu.com>
2025-03-04 16:35:02 +01:00 · 2013-01-04 22:05:53 -08:00 · 2013-01-04 22:05:53 -08:00 · e3e47a7b61
commit e3e47a7b61
parent 33bfedb95a
7 changed files with 38 additions and 39 deletions
--- a/profiles/apparmor.d/abstractions/X
+++ b/profiles/apparmor.d/abstractions/X
@ -13,10 +13,10 @@


  # .ICEauthority files required for X authentication, per user
-  @{HOME}/.ICEauthority r,
+  owner @{HOME}/.ICEauthority r,

  # .Xauthority files required for X connections, per user
-  @{HOME}/.Xauthority           r,
+  owner @{HOME}/.Xauthority r,
  owner /{,var/}run/gdm{,3}/*/database r,
  owner /{,var/}run/lightdm/authority/[0-9]* r,

--- a/profiles/apparmor.d/abstractions/audio
+++ b/profiles/apparmor.d/abstractions/audio
@ -40,12 +40,12 @@
 /usr/share/alsa/** r,
 /usr/share/sounds/** r,

-@{HOME}/.esd_auth  r,
-@{HOME}/.asoundrc  r,
+owner @{HOME}/.esd_auth r,
+owner @{HOME}/.asoundrc r,
 /etc/esound/esd.conf r,

 # libcanberra
-@{HOME}/.cache/event-sound-cache.* rwk,
+owner @{HOME}/.cache/event-sound-cache.* rwk,

 # pulse
 /etc/pulse/ r,
--- a/profiles/apparmor.d/abstractions/fonts
+++ b/profiles/apparmor.d/abstractions/fonts
@ -33,14 +33,14 @@
  /usr/share/texmf/{,*/}fonts/**        r,
  /var/lib/ghostscript/**               r,

-  @{HOME}/.fonts.conf                   r,
-  @{HOME}/.fonts/                       r,
-  @{HOME}/.fonts/**                     r,
-  @{HOME}/.fonts.cache-2               mr,
-  @{HOME}/.{,cache/}fontconfig/         r,
-  @{HOME}/.{,cache/}fontconfig/**     mrl,
-  @{HOME}/.fonts.conf.d/                r,
-  @{HOME}/.fonts.conf.d/**              r,
+  owner @{HOME}/.fonts.conf             r,
+  owner @{HOME}/.fonts/                 r,
+  owner @{HOME}/.fonts/**               r,
+  owner @{HOME}/.fonts.cache-2          mr,
+  owner @{HOME}/.{,cache/}fontconfig/   r,
+  owner @{HOME}/.{,cache/}fontconfig/** mrl,
+  owner @{HOME}/.fonts.conf.d/          r,
+  owner @{HOME}/.fonts.conf.d/**        r,

  /usr/local/share/fonts/               r,
  /usr/local/share/fonts/**             r,
--- a/profiles/apparmor.d/abstractions/gnome
+++ b/profiles/apparmor.d/abstractions/gnome
@ -38,24 +38,24 @@
  /usr/lib/@{multiarch}/gdk-pixbuf-*/** mr,

  # per-user gtk configuration
-  @{HOME}/.gnome/Gnome            r,
-  @{HOME}/.gtk                    r,
-  @{HOME}/.gtkrc                  r,
-  @{HOME}/.gtkrc-2.0              r,
-  @{HOME}/.gtk-bookmarks          r,
-  @{HOME}/.themes/                r,
-  @{HOME}/.themes/**              r,
+  owner @{HOME}/.gnome/Gnome            r,
+  owner @{HOME}/.gtk                    r,
+  owner @{HOME}/.gtkrc                  r,
+  owner @{HOME}/.gtkrc-2.0              r,
+  owner @{HOME}/.gtk-bookmarks          r,
+  owner @{HOME}/.themes/                r,
+  owner @{HOME}/.themes/**              r,

  # for gtk file dialog
-  @{HOME}/.config/gtk-2.0/**                    r,
-  @{HOME}/.config/gtk-2.0/gtkfilechooser.ini*   rw,
+  owner @{HOME}/.config/gtk-2.0/**                  r,
+  owner @{HOME}/.config/gtk-2.0/gtkfilechooser.ini* rw,

  # from evolution-mail
-  @{HOME}/.gconfd/lock/*                        r,
-  @{HOME}/.gnome/application-info               r,
+  owner @{HOME}/.gconfd/lock/*                      r,
+  owner @{HOME}/.gnome/application-info             r,

  # per-user font business
-  @{HOME}/.fonts.cache-*          rwl,
+  owner @{HOME}/.fonts.cache-*    rwl,

  # icon caches
  /var/cache/**/icon-theme.cache  r,
--- a/profiles/apparmor.d/abstractions/gnupg
+++ b/profiles/apparmor.d/abstractions/gnupg
@ -2,9 +2,9 @@
 # gnupg sub-process running permissions

  # user configurations
-  @{HOME}/.gnupg/options r,
-  @{HOME}/.gnupg/pubring.gpg r,
-  @{HOME}/.gnupg/random_seed rw,
-  @{HOME}/.gnupg/secring.gpg r,
-  @{HOME}/.gnupg/so/*.x86_64 mr,
-  @{HOME}/.gnupg/trustdb.gpg rw,
+  owner @{HOME}/.gnupg/options     r,
+  owner @{HOME}/.gnupg/pubring.gpg r,
+  owner @{HOME}/.gnupg/random_seed rw,
+  owner @{HOME}/.gnupg/secring.gpg r,
+  owner @{HOME}/.gnupg/so/*.x86_64 mr,
+  owner @{HOME}/.gnupg/trustdb.gpg rw,
--- a/profiles/apparmor.d/abstractions/kde
+++ b/profiles/apparmor.d/abstractions/kde
@ -23,13 +23,13 @@
 /etc/kde3/* r,
 /etc/kde4rc r,

-@{HOME}/.DCOPserver_* r,
-@{HOME}/.ICEauthority r,
-@{HOME}/.fonts.* lrw,
-@{HOME}/.kde{,4}/share/config/kdeglobals rw,
-@{HOME}/.kde{,4}/share/config/*.lock rwl,
-@{HOME}/.qt/** rw,
-@{HOME}/.config/Trolltech.conf rwk,
+owner @{HOME}/.DCOPserver_* r,
+owner @{HOME}/.ICEauthority r,
+owner @{HOME}/.fonts.* lrw,
+owner @{HOME}/.kde{,4}/share/config/kdeglobals rw,
+owner @{HOME}/.kde{,4}/share/config/*.lock rwl,
+owner @{HOME}/.qt/** rw,
+owner @{HOME}/.config/Trolltech.conf rwk,

 /usr/share/icons/ r,
 /usr/share/icons/** r,
--- a/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files
+++ b/profiles/apparmor.d/abstractions/ubuntu-browsers.d/user-files
@ -5,7 +5,6 @@
  @{HOME}/ r,
  @{HOME}/** r,
  owner @{HOME}/** w,
-  owner @{HOME}/Desktop/** r,

  # Do not allow read and/or write to particularly sensitive/problematic files
  #include <abstractions/private-files>