Bug#845005: [apparmor] Bug#845005: AppArmor profile denies paths for gtk2-engines-bixbuf and themes

Sun, 20 Nov 2016 04:39:21 -0800 

Hello,

Am Samstag, 19. November 2016, 12:43:00 CET schrieb u:
> anonym:
> > As a KDE user I want Icedove to look like a native application
> > despite it using GTK, which can be achieved with the
> > gtk2-engines-pixbuf package and some gtk*-engines-* package (e.g.
> > gtk3-engines-breeze). However, the current Icedove AppArmor profile
> > blocks the paths used by these packages.
> Looks good.
> 
> > The attached patch fixes the profile for me. A proper solution for
> > AppArmor upstream might be to add the new lines to the appropriate
> > abstraction file (perhaps abstractions/gnome?).
> 
> I've put the upstream list and the original author of the profile in
> Cc:. @Upstream, what do you think?

Looks good, and it would indeed be a candidate for abstractions/gnome. 

Some notes and questions:

+  /usr/lib/@{multiarch}/gtk-*/*/engines/libpixmap.so* mr,

does not match the openSUSE patchs. Therefore I propose to also add

    /usr/lib*/gtk-*/*/engines/libpixmap.so* mr,

to make this a cross-distro compatible change ;-)


Looking at the gnome abstraction again, I see

  /usr/lib{,32,64}/gtk/**         mr,
  /usr/lib/@{multiarch}/gtk/**    mr,

Both directories don't exist on my openSUSE system. Instead there is
/usr/lib64/gtk-2.0/ and /usr/lib64/gtk-3.0/. Maybe we should update 
these rules to match the versioned paths (and, as a side effect, include 
libpixmap.so)? That would mean to add

  /usr/lib{,32,64}/gtk-[0-9]*/**         mr,
  /usr/lib/@{multiarch}/gtk-[0-9]*/**    mr,


Does /usr/lib{,32,64}/gtk/ and/or /usr/lib/@{multiarch}/gtk/  still 
exist on Debian?
(bzr blame says these lines of the gnome abstractions were last touched 
in 2011, so things might have changed since then ;-)


+  /usr/share/themes/** r,

This is already included in abstractions/gnome, so I wonder why you 
needed to add it.


Regards,

Christian Boltz
-- 
I just fixed your bug, now you need to find something else to bitch
and flame about ;P
[Cristian Rodriguez on 
http://seifesrants.blogspot.de/2013/05/the-systemd-journal-is-broken-piece-of.html]

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to