From f2e2af37763ed6ed1476b5157e97eb41f6ab2d7a Mon Sep 17 00:00:00 2001 From: Martin Pitt Date: Mon, 25 Feb 2013 14:29:25 +0100 Subject: [PATCH] Allow guest session to write /run/user// Don't just permit creating and accessing selected directories, but allow creating new directories as well. This avoids bugs with other software which uses XDG_RUNTIME_DIR (such as pulseaudio). As this is by definition an ephemeral and a private directory, there is no data leak from other users. --- data/guest-session.apparmor_abstraction | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/data/guest-session.apparmor_abstraction b/data/guest-session.apparmor_abstraction index 4afe9451..f73edd2d 100644 --- a/data/guest-session.apparmor_abstraction +++ b/data/guest-session.apparmor_abstraction @@ -61,10 +61,7 @@ /{,var/}run/** rmkix, /{,var/}run/shm/** wl, # libpam-xdg-support - owner /{,var/}run/user/guest-*/dconf/ rw, - owner /{,var/}run/user/guest-*/dconf/user rw, - owner /{,var/}run/user/guest-*/keyring-*/ rw, - owner /{,var/}run/user/guest-*/keyring-*/{control,gpg,pkcs11,ssh} rw, + owner /{,var/}run/user/guest-*/** rw, capability ipc_lock, -- 2.39.2