Thank you for reporting a bug and helping to make Ubuntu better.
We can't disable all of ~/.config because of the way that 'deny' works in AppArmor (once you explicitly add a deny rule, you can't override it later). However, I think it is appropriate to:
Add this to private-files:
audit deny @{HOME}/.config/autostart/** mrwkl,
audit deny @{HOME}/.kde/Autostart/** mrwkl,
And add this to private-files-strict:
audit deny @{HOME}/.config/chromium/** mrwkl,
audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl,
audit deny @{HOME}/.evolution/** mrwkl,
audit deny @{HOME}/.config/evolution/** mrwkl,
And this to the evince abstraction:
audit deny @{HOME}/.kde/share/config/** mrwkl,
audit deny @{HOME}/.config/chromium/** mrwkl,
audit deny @{HOME}/.evolution/** mrwkl,
audit deny @{HOME}/.config/evolution/** mrwkl,
# we want access to the thunderbird Cache directory
audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl,
audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl,
Furthermore, I believe the change to private-files should be an SRU.
Thank you for reporting a bug and helping to make Ubuntu better.
We can't disable all of ~/.config because of the way that 'deny' works in AppArmor (once you explicitly add a deny rule, you can't override it later). However, I think it is appropriate to:
Add this to private-files: /.config/ autostart/ ** mrwkl, /.kde/Autostart /** mrwkl,
audit deny @{HOME}
audit deny @{HOME}
And add this to private- files-strict: /.config/ chromium/ ** mrwkl, /.{,mozilla- }thunderbird/ ** mrwkl, /.evolution/ ** mrwkl, /.config/ evolution/ ** mrwkl,
audit deny @{HOME}
audit deny @{HOME}
audit deny @{HOME}
audit deny @{HOME}
And this to the evince abstraction: /.kde/share/ config/ ** mrwkl, /.config/ chromium/ ** mrwkl, /.evolution/ ** mrwkl, /.config/ evolution/ ** mrwkl,
audit deny @{HOME}
audit deny @{HOME}
audit deny @{HOME}
audit deny @{HOME}
# we want access to the thunderbird Cache directory /.{,mozilla- }thunderbird/ */* mrwkl, /.{,mozilla- }thunderbird/ */[^C][ ^a][^c] [^h][^e] */** mrwkl,
audit deny @{HOME}
audit deny @{HOME}
Furthermore, I believe the change to private-files should be an SRU.