abstractions/user-tmp doesn't include /run/user

Bug #1702360 reported by JasonJAyalaP on 2017-07-04
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Undecided
Unassigned

Bug Description

Hi. While debugging a firefox apparmor denied messages in Debian 9, I noticed that the file abstractions/user-tmp (included by the FF profile and other programs) includes the common temporary directories (eg /tmp/) except for the /run/user/. My issue was that firefox wanted to create a file there and was denied. Researching this folder, it seems /run/user is the preferred, modern location for temp files.

Should user-tmp have:
owner /run/user/[0-9]/**
?

I had to put that in my firefox profile. And I'm wondering if it should be standard. I noticed that icedove adds it to their own profile (/run/user/[0-9]*/** to be exact, but I don't think there is ever anything after [0-9].

To be more specific, I work on Whonix and our users often use FoxyProxy. As far as I can tell, Firefox creates dconf/user inside /run/user when certain addons are installed (even if never used, apparently). This leads to an error and confusion for our users.

> Should user-tmp have:
> owner /run/user/[0-9]/**
> ?

IMO, absolutely not: I don't think giving full read-write access to
dconf settings is an expected/intended consequence of including the
user-tmp abstraction.

If we agree about this, then I think this bug report is essentially
a duplicate of https://bugs.launchpad.net/apparmor/+bug/1633733

Christian Boltz (cboltz) on 2017-10-02
tags: added: aa-policy
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers