[apparmor] Patching a system profile for a specific user

Fri, 10 Jan 2020 14:08:45 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Hi everyone,

I'm a seasoned Linux administrator but I have little prior experience
with AppArmor.  FWIW, I already have asked this question on the
SuperUser StackExchange web site this afternoon [1],  but it received
little interest, and I now have little hopes to have an answer there.

Our Linux Debian boxes have a standard policy for the Thunderbird
email client in `/etc/apparmor.d/usr.bin.thunderbird`

One user needs Thunderbird to have read access to the files stored in
his `${HOME}/signature.d/` folder. Is there a way to create a
user-specific profile that _includes_ the default profile settings,
but granting extra access the the needed files? I didn't find any
reference about that particular use case, and my first attempts were
unsuccessful. But I can't say if my syntax was wrong, of if this
wasn't possible at all. Here what I tried:


```
$ cat "${HOME}/.apparmor.d/usr.bin.thunderbird"

#include </etc/apparmor.d/usr.bin.thunderbird>

profile thunderbird @{thunderbird_executable} {
  owner @{HOME}/.signature.d/** r,
}

$ sudo systemctl restart apparmor

```


This doesn't seem to change anything. At such point I don't think the
user-specific profile is read at all. Could you help me fixing that?


Thanks a lot,
- - Sylvain Leroux



[1]
https://superuser.com/questions/1516181/configure-apparmor-to-allow-file-access-on-a-per-user-basis

- -- 
- -- Sylvain Leroux
- -- sylv...@chicoree.fr
- -- http://www.chicoree.fr
-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEl5bRd1eLmzy/wTZWq1gfHR9hxSIFAl4Y9bUUHHN5bHZhaW5A
Y2hpY29yZWUuZnIACgkQq1gfHR9hxSITsQ/9E2fDh2LtM/rlkKhE8oIkeWQCvv0b
d91TWmvVp5N0XFtrxSWrLRGrQTuwIhYGUPQWn7FX5M/9yiqO2ZdxTcy/VZ5WK5mE
16/QHziU8HwLL+4eGZAHLI5Q81Fjq2Zx2Lyin21r6tiQn/Tc1CMS5WqnkUqMUZ3V
JjRXmQwfg+VAzsY8w+lDVK1iFRNzcGvcCbiEcDSzXsB+QfEA5R0xtTB5Z63+U7Kw
z2qG1X8SpcIJMgg7M7v6x2wl8LKNEnb/PoXfdX+HV0KBh+IRipJk/sgCyuJs19cd
hgdCtGVbOKxM+daTZnH6DKVWnCujaTTo5kBVPduuDCFyBT7iP1hUwe08NnC8rmLc
x6W+gsQ6YZ1UQo/36iHXUrF+tohsSn0JvJR4yu1XEb93jthnnZeWFj+naX/DAbAa
m7fAqgUwHMyETz3xIRxwdKTc/wQOh+2rVf83JWfuIyV0HauK9JMsXjS5dKZYH3fp
iHA6mZmOPw8ZlWcSzOP7JYbIJSd/E/G6mudLL8CRGhCshuX+dXnLBDJDZJVzqch6
6hGKShK1fyGID5NU2iEmuyeo+KgpSHBu2AY2uhqmNfPEwKeOPyF6YzU9NNzjCqh6
O3T6uQ1rUFslj9KNMvuCquvIJr3M79rykLkT6pnyTkBaj72NnA4M/hVNi2IrSuAz
CZ+tQnWZZn3GGls=
=5AQW
-----END PGP SIGNATURE-----

-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to