Vincas Dargis has proposed merging 
lp:~talkless/apparmor/gnome_abstraction_thumbnail_cache into lp:apparmor.

Requested reviews:
  AppArmor Developers (apparmor-dev)

For more details, see:
https://code.launchpad.net/~talkless/apparmor/gnome_abstraction_thumbnail_cache/+merge/330883

I have discovered denies on Ubuntu 17.10 while developing skypeforlinux 
profile. It appears when browsing for files:

type=AVC msg=audit(1505566970.007:347): apparmor="DENIED" operation="open" 
profile="skypeforlinux" 
name="/home/vincas/.cache/thumbnails/fail/gnome-thumbnail-factory/82c3c014bd2b90c499491782f4399798.png"
 pid=3838 comm="pool" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
type=SYSCALL msg=audit(1505566970.007:347): arch=c000003e syscall=2 per=400000 
success=no exit=-13 a0=be2ce1ef80 a1=0 a2=0 a3=1 items=0 ppid=1 pid=3838 
auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 
fsgid=1000 tty=tty2 ses=2 comm="pool" 
exe="/usr/share/skypeforlinux/skypeforlinux" key=(null)
type=PROCTITLE msg=audit(1505566970.007:347): 
proctitle=2F7573722F73686172652F736B797065666F726C696E75782F736B797065666F726C696E7578202D2D65786563757465642D66726F6D3D2F686F6D652F76696E636173202D2D7069643D33383332

type=AVC msg=audit(1505567240.659:383): apparmor="DENIED" operation="file_mmap" 
profile="skypeforlinux" 
name="/home/vincas/.cache/thumbnails/fail/gnome-thumbnail-factory/39e2023d634480a9852aca5e4d7bb600.png"
 pid=4082 comm="pool" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
type=SYSCALL msg=audit(1505567240.659:383): arch=c000003e syscall=9 per=400000 
success=no exit=-13 a0=0 a1=e5 a2=1 a3=2 items=0 ppid=1 pid=4082 auid=1000 
uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 
tty=tty2 ses=2 comm="pool" exe="/usr/share/skypeforlinux/skypeforlinux" 
key=(null)
type=PROCTITLE msg=audit(1505567240.659:383): 
proctitle=2F7573722F73686172652F736B797065666F726C696E75782F736B797065666F726C696E7578202D2D65786563757465642D66726F6D3D2F686F6D652F76696E636173202D2D7069643D34303735

Therefore I am proposing to add appropriate file rule into gnome abstraction.
-- 
Your team AppArmor Developers is requested to review the proposed merge of 
lp:~talkless/apparmor/gnome_abstraction_thumbnail_cache into lp:apparmor.
=== modified file 'profiles/apparmor.d/abstractions/gnome'
--- profiles/apparmor.d/abstractions/gnome	2017-07-03 07:44:43 +0000
+++ profiles/apparmor.d/abstractions/gnome	2017-09-16 13:23:56 +0000
@@ -66,6 +66,9 @@
   /var/cache/**/icon-theme.cache  r,
   /usr/share/**/icon-theme.cache  r,
 
+  # thumbnail caches
+  owner @{HOME}/.cache/thumbnails/*/gnome-thumbnail-factory/*.png mr,
+
   # GLib schemas
   /usr/{local/,}share/glib-[0-9]*/schemas/   r,
   /usr/{local/,}share/glib-[0-9]*/schemas/** r,

-- 
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to