No abstraction over xdg-basedirs and xdg-user-dirs

Bug #1061693 reported by Iain Lane
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
AppArmor
Fix Released
Medium
Jamie Strandboge
apparmor (Ubuntu)
Fix Released
Medium
Seth Arnold

Bug Description

Per a freedesktop.org spec

  http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html#variables

users may modify certain environment variables to override the locations in which applications store / cache data.

Most of the apparmor profiles shipped by Ubuntu hardcode the defaults specified by XDG, meaning that if someone wants to change this, they need to modify every profile for the change. It would be great if this could be made easier, either by whitelisting these environment variables or by introducing a tunable and modifying all profiles shipped by default to use it.

Changed in apparmor (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Here are some thoughts I had to fix this. It is not fully realized:

We take advantage of tunables in the following manner:
 * create tunables/xdg to have:
    @{XDG_DESKTOP_DIR}=@{HOMEDIRS}/*/Desktop
    #include <tunables/xdg.d>
 * tunables/xdg.d could include files with contents of the form:
    @{XDG_DESKTOP_DIR}+=@{HOMEDIRS}/*/TranslatedDesktop
 * we could then have some sort of a hook, perhaps a dpkg trigger that would generate files in tunables/xdg.d based on installed locales

Rules that were of the form of:
owner @{HOME}/Desktop/** r,

would become:
owner @{XDG_DESKTOP_DIR/** r,

This also has the advantage of opening the possibility of handling migrations like those with /var/run/user/ to be handled more gracefully.

Changed in apparmor:
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Seth Arnold (seth-arnold) wrote :
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Just to be clear, Iain was talking about xdg-basedirs and I responded with xdg-user-dirs. Both could be solved in a similar manner, but xdg-user-dirs are more pressing because xdg-user-dirs-update might rename directories, etc with the user only choosing a different locale. We will likely have something reasonable for translated xdg-user-dirs but not have a general fix for xdg-basedirs or xdg-user-dirs that differ from the templates in /etc/xdg/user-dirs.defaults.

summary: - No abstraction over XDG_*_HOME
+ No abstraction over xdg-basedirs and xdg-user-dirs
Changed in apparmor:
status: Confirmed → Triaged
Changed in apparmor (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I've just now committed changes for supporting translated xdg-user-dirs. We have the abstractions/xdg-desktop in Ubuntu and upstream for some time for the basedirs. We aren't going to introduce a tunable at this time for basedirs, but may in the future.

Changed in apparmor:
status: Triaged → Fix Committed
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in apparmor (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Seth Arnold (seth-arnold)
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.6 KiB)

This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu1

---------------
apparmor (2.8.95~2430-0ubuntu1) trusty; urgency=low

  [ Jamie Strandboge ]

   * debian/debhelper/dh_apparmor: exit with error if aa-easyprof does not
     exist
   * debian/control: drop Depends on apparmor-easyprof to Suggests for
     dh-apparmor

  [ Seth Arnold, Jamie Strandboge, Steve Beattie, John Johansen, Tyler Hicks ]

  * New upstream snapshot (LP: #1278702, #1061693, #1285653) dropping very
    large Ubuntu delta and fixing the following bugs:
    - Adjust fonts abstraction for libthai (LP: #1278702)
    - Support translated XDG user directories (LP: #1061693)
    - Adjust abstractions/web-data to include /var/www/html (LP: #1285653)
      Refresh 0002-add-debian-integration-to-lighttpd.patch to include
      /etc/lighttpd/conf-available/*.conf
    - Adjust debian/libapparmor1.symbols to reflect new upstream versioning
      for the aa_query_label() function
    - Raise exceptions in Python bindings when something fails
  * ship new Python replacements for previous Perl-based tools
    - debian/apparmor-utils.install: remove usr/share/perl5/Immunix/*.pm and
      add usr/sbin/aa-autodep, usr/sbin/aa-cleanprof and usr/sbin/aa-mergeprof
    - debian/control:
      + remove various Perl dependencies
      + add python-apparmor and python3-apparmor
      + python3-apparmor Breaks: apparmor-easyprof to move the file since it
        ships dist-packages/apparmor/__init__.py now
    - debian/apparmor-utils.manpages: ship new manpages for aa-cleanprof and
      aa-mergeprof
    - debian/rules: build and install Python tools
  * debian/apparmor.install:
    - install apparmorfs, dovecot, kernelvars, securityfs, sys,
      and xdg-user-dirs tunables and xdg-user-dirs.d directory
  * debian/apparmor.dirs:
    - install /etc/apparmor.d/tunables/xdg-user-dirs.d
  * debian/rules: delete upstream-provided xdg-user-dirs.d/site.local
  * debian/apparmor.postinst: create xdg-user-dirs.d/site.local
  * debian/apparmor.postrm: remove xdg-user-dirs.d
  * Remaining patches:
    - add-chromium-browser.patch
    - add-debian-integration-to-lighttpd.patch
    - ubuntu-manpage-updates.patch
    - libapparmor-layout-deb.patch
    - libapparmor-mention-dbus-method-in-getcon-man.patch
    - etc-writable.patch
    - aa-utils_are_bilingual.patch
  * New patches:
    - convert-to-rules.patch
    - list-fns.patch
    - parse-mode.patch
    - add-decimal-interp.patch
    - policy_mediates.patch
    - fix-failpath.patch
    - feature_file.patch
    - fix-network.patch
    - aare-to-class.patch
    - add-mediation-unix.patch
    - parser_version.patch
    - caching.patch
    - label-class.patch
    - fix-lexer-debug.patch
    - use-diff-encode.patch
    - fix-serialize.patch
    - fix-ppc-endian-ftbfs.patch
    - opt_arg.patch
    - tests-cond-dbus.patch
  * Move manpages from libapparmor1 to libapparmor-dev
    - debian/libapparmor-dev.manpages: install aa_change_hat.2,
      aa_change_profile.2, aa_find_mountpoint.2, aa_getcon.2
    - debian/control: libapparmor-dev Replaces: and Breaks: libapparmor1
  * Move /usr/lib/python3/dist-packages/apparmor/__init__.py from
    apparmor-eas...

Read more...

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.