On 2016-04-14 02:45 PM, Christian Boltz wrote:
>>> === modified file 'profiles/apparmor.d/abstractions/user-mail'
>>> --- profiles/apparmor.d/abstractions/user-mail 2010-12-22 22:55:18
>>> +0000 +++ profiles/apparmor.d/abstractions/user-mail 2016-04-14
>>> 12:13:08 +0000 @@ -1,6 +1,7 @@
>>>
>>> #
>>> ------------------------------------------------------------------
>>> #
>>> # Copyright (C) 2002-2006 Novell/SUSE
>>>
>>> +# Copyright (C) 2014 Canonical Ltd.
>>>
>>> #
>>> # This program is free software; you can redistribute it and/or
>>> # modify it under the terms of version 2 of the GNU General
>>> Public
>>>
>>> @@ -12,8 +13,8 @@
>>>
>>> owner @{HOME}/[mM]ail/ r,
>>> owner @{HOME}/[mM]ail/** rwl,
>>> owner @{HOME}/postponed* rwl,
>>>
>>> - /var/spool/mail/ r,
>>> - /var/spool/mail/* rwl,
>>> + /var/{,spool/}mail/ r,
>>> + /var/{,spool/}mail/* rwl,
>>
>> Here too, I think "owner" should be used.
>
> The reason for this change was to cover /var/mail/ and /var/spool/mail/
> (one is typically a symlink to the other)
> https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1192965
>
> Restricting that to owner doesn't sound bad, but I don't want to do this
> in the 2.8 backport patch because it would remove permissions and
> therefore comes with the risk to break something.
>
> You know how to send merge requests - if you send one to trunk that adds
> the owner restriction to /var/{,spool/}mail/*, I won't object ;-)Will do, thanks. Simon
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
