AppArmor

abstractions/user-tmp doesn't include /run/user

Bug #1702360 reported by JasonJAyalaP on 2017-07-04

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	AppArmor	New	Undecided	Unassigned

Bug Description

Hi. While debugging a firefox apparmor denied messages in Debian 9, I noticed that the file abstractions/user-tmp (included by the FF profile and other programs) includes the common temporary directories (eg /tmp/) except for the /run/user/. My issue was that firefox wanted to create a file there and was denied. Researching this folder, it seems /run/user is the preferred, modern location for temp files.

Should user-tmp have:
owner /run/user/[0-9]/**
?

I had to put that in my firefox profile. And I'm wondering if it should be standard. I noticed that icedove adds it to their own profile (/run/user/[0-9]*/** to be exact, but I don't think there is ever anything after [0-9].

To be more specific, I work on Whonix and our users often use FoxyProxy. As far as I can tell, Firefox creates dconf/user inside /run/user when certain addons are installed (even if never used, apparently). This leads to an error and confusion for our users.

Tags:

Revision history for this message

intrigeri (intrigeri) wrote on 2017-07-05: Re: [Bug 1702360] [NEW] abstractions/user-tmp doesn't include /run/user

> Should user-tmp have:
> owner /run/user/[0-9]/**
> ?

IMO, absolutely not: I don't think giving full read-write access to
dconf settings is an expected/intended consequence of including the
user-tmp abstraction.

If we agree about this, then I think this bug report is essentially
a duplicate of https://bugs.launchpad.net/apparmor/+bug/1633733

Christian Boltz (cboltz) on 2017-10-02

tags:

added: aa-policy

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.