apparmor private-files profile should include @{HOME}/.config

Thank you for reporting a bug and helping to make Ubuntu better.

We can't disable all of ~/.config because of the way that 'deny' works in AppArmor (once you explicitly add a deny rule, you can't override it later). However, I think it is appropriate to:

Add this to private-files:
 audit deny @{HOME}/.config/autostart/** mrwkl,
 audit deny @{HOME}/.kde/Autostart/** mrwkl,

And add this to private-files-strict:
 audit deny @{HOME}/.config/chromium/** mrwkl,
 audit deny @{HOME}/.{,mozilla-}thunderbird/** mrwkl,
 audit deny @{HOME}/.evolution/** mrwkl,
 audit deny @{HOME}/.config/evolution/** mrwkl,

And this to the evince abstraction:
 audit deny @{HOME}/.kde/share/config/** mrwkl,
 audit deny @{HOME}/.config/chromium/** mrwkl,
 audit deny @{HOME}/.evolution/** mrwkl,
 audit deny @{HOME}/.config/evolution/** mrwkl,

 # we want access to the thunderbird Cache directory
 audit deny @{HOME}/.{,mozilla-}thunderbird/*/* mrwkl,
 audit deny @{HOME}/.{,mozilla-}thunderbird/*/[^C][^a][^c][^h][^e]*/** mrwkl,

Furthermore, I believe the change to private-files should be an SRU.

This should be added to private-files-strict as well:
 audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
 audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl,

And this to evince abstraction:
 audit deny @{HOME}/.kde/share/apps/kwallet/** mrwkl,
 audit deny @{HOME}/.kde/share/apps/kmail/** mrwkl,

That's way more thorough than my suggestion. Thanks for looking into this!

This bug was fixed in the package apparmor - 2.6~devel+bzr1617-0ubuntu1

---------------
apparmor (2.6~devel+bzr1617-0ubuntu1) natty; urgency=low

  * Merge with upstream bzr revision 1617. Closes the following bugs:
    - LP: #692406: temporarily disable the defunct repository until an
      alternative can be used
    - LP: #649497: add ibus abstraction
    - LP: #652562: allow 'rw' to /var/log/samba/cores/
    - LP: #658135: allow access to /usr/lib32 and /usr/lib64 for dri modules
  * 0002-add-chromium-browser.patch: add /dev/shm/.org.chromium.*
    (LP: #692866)
  * rename debian/patches/0010-ubuntu-buildd.patch to 0001-ubuntu-buildd.patch
    and adjust debian/patches/series
  * debian/patches/0003-add-libvirt-support-to-dnsmasq.patch (LP: #697239):
    - allow read and write access to libvirt pid files for dnsmasq
    - allow net_admin capability for DHCP server
    - allow net_raw and network inet raw for ICMP pings when used as a DHCP
      server
  * debian/patches/0004-lp698194 (LP: #698194):
    - abstractions/private-files: don't allow wl to autostart directories
    - abstractions/private-files-strict: don't allow access to chromium,
      kwallet and popular mail clients
 -- Jamie Strandboge <email address hidden> Fri, 07 Jan 2011 12:44:26 -0600

This bug was fixed in the package evince - 2.32.0-0ubuntu5

---------------
evince (2.32.0-0ubuntu5) natty; urgency=low

  * debian/apparmor-profile.abstraction:
    - deny access to kwallet, chromium configuration, writing to .pki/nssdb/*,
      and some popular mail client files (LP: #698194)
    - add ibus abstraction
    - clean out some redundant abstraction includes
 -- Jamie Strandboge <email address hidden> Fri, 07 Jan 2011 10:26:10 -0600

Uploaded to lucid and maverick proposed, pending SRU team approval.

Accepted apparmor into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Tested using:
 * QRT:test-apparmor.py: PASS
 * QRT:test-evince.py: PASS
 * evince can no longer write to the ~/.config/autostart directory (the TEST CASE): PASS
 * evince can be launched from firefox: PASS
 * evince can by launched from evolution (PDF attachment in email): PASS
 * adjusting the evince to use private-files-strict instead of private-files, and then open PDF from evolution is denied: PASS

So, this looks good. private-files and private-files-strict are updated correctly and there are no regressions in apparmor itself or the use of evince on the desktop.

Accepted apparmor into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.04.3

---------------
apparmor (2.5.1-0ubuntu0.10.04.3) lucid-proposed; urgency=low

  * debian/patches/0014-lp698194.patch: explicitly deny access to autostart
    directories, chromium, some popular email clients and kwallet
    - LP: #698194
 -- Jamie Strandboge <email address hidden> Sun, 16 Jan 2011 10:09:03 -0600

Tested maverick-proposed using:

 * QRT:test-apparmor.py: PASS
 * QRT:test-evince.py: PASS
 * evince can no longer write to the ~/.config/autostart directory (the TEST CASE): PASS
 * evince can be launched from firefox: PASS
 * evince can be launched from evolution (PDF attachment in email): PASS
 * adjusting the evince profile to use private-files-strict instead of private-files, and then open PDF from evolution is denied: PASS

So, this looks good. private-files and private-files-strict are updated correctly and there are no regressions in apparmor itself or the use of evince on the desktop.

This bug was fixed in the package apparmor - 2.5.1-0ubuntu0.10.10.4

---------------
apparmor (2.5.1-0ubuntu0.10.10.4) maverick-proposed; urgency=low

  * debian/patches/0012-lp698194.patch: explicitly deny access to autostart
    directories, chromium, some popular email clients and kwallet
    - LP: #698194
 -- Jamie Strandboge <email address hidden> Sun, 16 Jan 2011 09:57:11 -0600