yes apparmor can break everything, welcome to the often painful world of mandatory access control (MAC). In general apparmor policy can not and should not adapt to parts of the environment that can be defined by the user, it can certainly do better in adapting to system configuration set by the admin.
Atm it is up to the admin to adjust the apparmor XDG variables (yes this is a complete pita and needs to be improved). The upcoming 5.0 release improves the conditional support so that it will be easier to have some variables automatically adapt to various system conditions. This is necessary but not generically sufficient. The next step, if the admin allows it (ie. its configurable), would be to enable automatically updating the apparmor XDG variables based on parsing the system XDG configs. In general XDG isn't the only place where a call out to a helper to define variables would be nice. Eg. there is an apache helper that will parse the apache config and update some vars based on its setting. This call out to a helper isn't scheduled to land in 5.0 unfortunately, but it will come, as it is needed to help with rolling out more policy. The above 2 pieces cover what is needed at a global level (and really most systems in general) but not on a per user level. Further out there are plans to update the pam plugin and allow custom per user session variables. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1423890 Title: AppArmor support for the XDG Base Directory spec is incomplete To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1423890/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
