Ubuntu
apparmor package

  1. Bug #698194
  2. Comment #1

Comment 1 for bug 698194

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting a bug and helping to make Ubuntu better.

We can't disable all of ~/.config because of the way that 'deny' works in AppArmor (once you explicitly add a deny rule, you can't override it later). However, I think it is appropriate to:

Add this to private-files:
 audit deny @{HOME}/.config/autostart/** mrwkl,
 audit deny @{HOME}/.kde/Autostart/** mrwkl,

And add this to private-files-strict:
 audit deny @{HOME}/.config/chromium/** mrwkl,
 audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl,
 audit deny @{HOME}/.evolution/** mrwkl,
 audit deny @{HOME}/.config/evolution/** mrwkl,

And this to the evince abstraction:
 audit deny @{HOME}/.kde/share/config/** mrwkl,
 audit deny @{HOME}/.config/chromium/** mrwkl,
 audit deny @{HOME}/.evolution/** mrwkl,
 audit deny @{HOME}/.config/evolution/** mrwkl,

 # we want access to the thunderbird Cache directory
 audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl,
 audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl,

Furthermore, I believe the change to private-files should be an SRU.