[apparmor] Patching a system profile for a specific user
Sylvain Leroux
sylvain at chicoree.fr
Fri Jan 10 22:07:49 UTC 2020
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi everyone,
I'm a seasoned Linux administrator but I have little prior experience
with AppArmor. FWIW, I already have asked this question on the
SuperUser StackExchange web site this afternoon [1], but it received
little interest, and I now have little hopes to have an answer there.
Our Linux Debian boxes have a standard policy for the Thunderbird
email client in `/etc/apparmor.d/usr.bin.thunderbird`
One user needs Thunderbird to have read access to the files stored in
his `${HOME}/signature.d/` folder. Is there a way to create a
user-specific profile that _includes_ the default profile settings,
but granting extra access the the needed files? I didn't find any
reference about that particular use case, and my first attempts were
unsuccessful. But I can't say if my syntax was wrong, of if this
wasn't possible at all. Here what I tried:
```
$ cat "${HOME}/.apparmor.d/usr.bin.thunderbird"
#include </etc/apparmor.d/usr.bin.thunderbird>
profile thunderbird @{thunderbird_executable} {
owner @{HOME}/.signature.d/** r,
}
$ sudo systemctl restart apparmor
```
This doesn't seem to change anything. At such point I don't think the
user-specific profile is read at all. Could you help me fixing that?
Thanks a lot,
- - Sylvain Leroux
[1]
https://superuser.com/questions/1516181/configure-apparmor-to-allow-file-access-on-a-per-user-basis
- --
- -- Sylvain Leroux
- -- sylvain at chicoree.fr
- -- http://www.chicoree.fr
-----BEGIN PGP SIGNATURE-----
iQJIBAEBCAAyFiEEl5bRd1eLmzy/wTZWq1gfHR9hxSIFAl4Y9bUUHHN5bHZhaW5A
Y2hpY29yZWUuZnIACgkQq1gfHR9hxSITsQ/9E2fDh2LtM/rlkKhE8oIkeWQCvv0b
d91TWmvVp5N0XFtrxSWrLRGrQTuwIhYGUPQWn7FX5M/9yiqO2ZdxTcy/VZ5WK5mE
16/QHziU8HwLL+4eGZAHLI5Q81Fjq2Zx2Lyin21r6tiQn/Tc1CMS5WqnkUqMUZ3V
JjRXmQwfg+VAzsY8w+lDVK1iFRNzcGvcCbiEcDSzXsB+QfEA5R0xtTB5Z63+U7Kw
z2qG1X8SpcIJMgg7M7v6x2wl8LKNEnb/PoXfdX+HV0KBh+IRipJk/sgCyuJs19cd
hgdCtGVbOKxM+daTZnH6DKVWnCujaTTo5kBVPduuDCFyBT7iP1hUwe08NnC8rmLc
x6W+gsQ6YZ1UQo/36iHXUrF+tohsSn0JvJR4yu1XEb93jthnnZeWFj+naX/DAbAa
m7fAqgUwHMyETz3xIRxwdKTc/wQOh+2rVf83JWfuIyV0HauK9JMsXjS5dKZYH3fp
iHA6mZmOPw8ZlWcSzOP7JYbIJSd/E/G6mudLL8CRGhCshuX+dXnLBDJDZJVzqch6
6hGKShK1fyGID5NU2iEmuyeo+KgpSHBu2AY2uhqmNfPEwKeOPyF6YzU9NNzjCqh6
O3T6uQ1rUFslj9KNMvuCquvIJr3M79rykLkT6pnyTkBaj72NnA4M/hVNi2IrSuAz
CZ+tQnWZZn3GGls=
=5AQW
-----END PGP SIGNATURE-----
More information about the AppArmor
mailing list