Control: reassign -1 apparmor
Control: affects -1 thunderbird
Control: forwarded -1 https://gitlab.com/apparmor/apparmor/merge_requests/442
Control: tag -1 + upstream
Hi,
Vincas Dargis:
> On Wed, 05 Jun 2019 15:47:48 +0200 Nabile <nabile13...@gmail.com> wrote:> (I
> am not sure if
> Thunderbird mainly uses GTK2, which only reads from
>> ~/.themes, but since I symlinked ~/.themes to ~/.local/share/themes, it works
>> on my configuration. For those who don't symlink ~/.themes, it may be
>> necessary
>> to add a third whitelist for this folder, provided Thunderbird does use GTK2,
>> of course.)
> `~/.themes` is currently allowed by `gnome` abstraction (which is already
> included by
> usr.bin.thnunderbird profile):
> ```
> fgrep -R ".themes" /etc/apparmor.d/abstractions/
> /etc/apparmor.d/abstractions/gnome: owner @{HOME}/.themes/ r,
> /etc/apparmor.d/abstractions/gnome: owner @{HOME}/.themes/** r,
> ```
> You will not "cheat" AppArmor by creating symlinks (unless user uses
> bind-mount I believe), it has
> to check the actual path, so, hence, DENIED.
> I do not know if/how `~/.local/share/themes` location is "standard"/expected
> here. Generally, it's
> advised to modify `/etc/apparmor.d/local/usr.bin.thunderbird` for any local
> customizations.
> Currently, it seems that it's user customization rather than AppArmor
> misconfiguration, so I am not
> sure if we should fix it in Thunderbird's profile or either in gnome
> abstraction.
I did some research and $XDG_DATA_HOME/themes is documented as the
preferred place to store per-user themes since GTK 3.6,
so IMO this is a bug in abstractions/gnome. Reassigning accordingly,
submitted a MR upstream.
And wrt. ~/.local/share/fonts/: that's only a problem on Stretch and
it got fixed in Buster. Given this is kind of a corner case and
Stretch did not have AppArmor enabled by default and will be EOL in ~6
months, I don't think it's worth fixing this in a Stretch
point release.
Cheers,
--
intrigeri
