Include abstractions/dconf in abstractions/gnome
Bug #1751910 reported by
udgls
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
New
|
Undecided
|
Unassigned |
Bug Description
What is the reason that abstactions/dconf is not listed in abstactions/gnome?
DConf is part of the GNOME desktop-environment and should listed in abstactios/gnome, to make it more simple to write and maintain profiles for GNOME applications. Because most GNOME applications make use of DConf.
PS: See also https:/
To post a comment you must log in.
Indeed, most profiles on my system for GTK/GNOME apps either include abstractions/dconf or have its content inlined (from the days when we could not rely on the dconf abstraction, which did not exist back then). I would not mind including abstractions/dconf in abstractions/gnome but it will require careful coordination with profiles that already include abstractions/gnome and dconf-related rules. I think a good first step would be to first de-duplicate dconf-related rules for all profiles in apparmor.git and apparmor- profiles. git: include the dconf abstraction instead and drop the corresponding lines. This would require a dedicated bug/branch.
Then include the dconf abstraction in the gnome one, look for profiles that include both the dconf and gnome abstractions, and ensure they drop the now obsolete include of abstractions/dconf *at some point* (once we can rely on the fact distros have the "include abstractions/dconf in abstractions/gnome" change applied). This can take years of waiting so don't hold your breathe and good luck. Thankfully I see only 2 such profiles on my system (Totem and Pidgin :)
> I think a abstactions/ dconf-read- write can directly inplementend in abstactions/dconf.
NAK: the semantics of our abstractions are like an API for policy authors. We can't turn an abstraction that has been documented since it exists as granting read-only query access, into granting write access to dconf. This would change the behavior of dependent profiles in a potentially dangerous way.