search

jonls / redshift

Redshift adjusts the color temperature of your screen according to your surroundings. This may help your eyes hurt less if you are working in front of the screen at night.
http://jonls.dk/redshift
GNU General Public License v3.0
5.89k stars 428 forks source link

Apparmor profile blocks config file if XDG_CONFIG_HOME is set #708

Open Druco opened 5 years ago

Druco commented 5 years ago

Describe the bug With XDG_CONFIG_HOME set to something other than $HOME/.config, the supplied apparmor profile DENIES the file access to the redshift.conf file. Adding the line: owner @{XDG_CONFIG_HOME}/redshift/redshift.conf r, to the usr.bin.redshift file fixes this when running redshift from the command line. It does not fix it when running redshift-gtk however.

To Reproduce Steps to reproduce the behavior:

  1. Set XDG_CONFIG_HOME to something other than ~/.config
  2. Create $XDG_CONFIG_HOME/redshift/redshift.conf
  3. Make sure apparmor is running
  4. Start redshift

Expected behavior Parameters specified in $XDG_CONFIG_HOME/redshift/redshift.conf should be used rather than default values (or those in ~/.config/redshift/redshift.conf).

Error output/logs/screenshots In /var/log/audit/audit.log the error is: type=AVC msg=audit(1550535771.076:213): apparmor="DENIED" operation="open" profile="/usr/bin/redshift" name="/home/username/.config.tumbleweed/redshift/redshift.conf" pid=5793 comm="redshift" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

Software versions (please complete the following information):

Druco commented 5 years ago

Just wanted to make a correction that adding: owner @{XDG_CONFIG_HOME}/redshift/redshift.conf r, to the usr.bin.redshift file does not fix the problem. I didn't notice that what actually occurred was that apparmor crashed when this line was added so it looked like it was working.

CameronNemo commented 5 years ago

This is a common pitfall of AppArmor profiles and LSM policy in general. There are standard variables in /etc/apparmor.d/tunables, but none seem to apply to this situation.

cboltz commented 5 years ago

I'd recommend to add

alias @{HOME}/.config/ -> @{HOME}/.config.tumbleweed/,

in /etc/apparmor.d/tunables/alias and to run rcapparmor reload afterwards.

Druco commented 5 years ago

I'd recommend to add

alias @{HOME}/.config/ -> @{HOME}/.config.tumbleweed/,

in /etc/apparmor.d/tunables/alias and to run rcapparmor reload afterwards.

Thanks, I'll give that a try. So far I have just put the files in .config rather than .config.tumbleweed and that has worked well enough. It sounds like this is really a problem with AppArmor itself needing to be updated to handle the XDG standard. Thanks for the response and as far as I am concerned the bug can be closed.

Piraty commented 2 years ago

the issue expands to XAUTHORITY as well. if it points to a custom path, apparmor denies access and redshift subsequently fails to open the file. this happens if for example sx is used to spawn the display server see also here