Comment 0 for bug 1236912

The security team noticed the following apparmor denial:
[ 86.069189] type=1400 audit(1381243063.185:73): apparmor="DENIED" operation="connect" parent=1550 profile="com.ubuntu.developer.webapps.webapp-twitter_webapp-twitter_1.0.3" name="/tmp/mir_socket" pid=2270 comm="webbrowser-app" requested_mask="rw" denied_mask="rw" fsuid=32011 ouid=32011

Discussing this with the mir team, the mir socket is needed by all apps. However, the default location is:
$ ls -l /tmp/mir_socket
srwxr-xr-x 1 phablet phablet 0 Oct 8 09:54 /tmp/mir_socket

This is not a reasonable default for a multiuser system and is not sufficiently defensive on a single user system (eg, a security issue in a non-phablet uid process can read the socket).

It seems that XDG_RUNTIME_DIR would be a reasonable default:
$ set|grep XDG
XDG_RUNTIME_DIR=/run/user/32011
$ ls -ld /run/user/32011/
drwx------ 5 phablet phablet 140 Oct 8 09:54 /run/user/32011/

It is explicitly set on Ubuntu, is cleaned up on reboot like /tmp and has 700 directory permissions.