Nearly all the AppArmor rules provided by upstream AppArmor include 'owner' prefixes on files and directories within user home directories. This is intentional -- for example, the <abstractions/fonts> file includes:
Whoever owns the fonts in your ~/.fonts/ directory can probably gain execution privileges by whatever program is rendering the fonts.
You could store your fonts in /usr/local/share/fonts/ if they are appropriate for multiple users on the system.
Or you could amend /etc/apparmor.d/local/usr.bin.evince if you want these fonts to be available to evince without storing them in /usr/local/share/fonts/.
Nearly all the AppArmor rules provided by upstream AppArmor include 'owner' prefixes on files and directories within user home directories. This is intentional -- for example, the <abstractions/ fonts> file includes:
owner @{HOME}/.fonts.conf r, /.local/ share/fonts/ r, /.local/ share/fonts/ ** r, /.fonts. cache-2 mr, /.{,cache/ }fontconfig/ r, /.{,cache/ }fontconfig/ ** mrl, /.fonts. conf.d/ r, /.fonts. conf.d/ ** r, /.config/ fontconfig/ r, /.config/ fontconfig/ ** r,
owner @{HOME}/.fonts/ r,
owner @{HOME}/.fonts/** r,
owner @{HOME}
owner @{HOME}
owner @{HOME}
owner @{HOME}
owner @{HOME}
owner @{HOME}
owner @{HOME}
owner @{HOME}
owner @{HOME}
/usr/ local/share/ fonts/ r, local/share/ fonts/* * r,
/usr/
Whoever owns the fonts in your ~/.fonts/ directory can probably gain execution privileges by whatever program is rendering the fonts.
You could store your fonts in /usr/local/ share/fonts/ if they are appropriate for multiple users on the system.
Or you could amend /etc/apparmor. d/local/ usr.bin. evince if you want these fonts to be available to evince without storing them in /usr/local/ share/fonts/ .
Thanks