Several additions on/from openSUSE Tumbleweed

[cboltz]

Tumbleweed needs several profile additions, see aa-log-2024-07-21.txt

[nobody43]

owner @{HOME}/bin/ r, # part of $PATH, but still - why? Some library that git uses searches greedily for specific or all available executables in PATH. The program itself might not even care about the PATH.

[roddhjav]

Thanks, they should be integrated now. I updated the value of user_bin_dirs to also include @{HOME}/bin.

[cboltz]

Thanks!

I noticed a few additional denials: aa-2024-08-25.txt

[cboltz]

Here's a bigger - and probably more complete - list of denials from latest Tumbleweed: aa-2024-08-26.txt

I didn't check in detail, but it probably includes the denials from the 2024-08-25 list.

[roddhjav]

Thanks, they should be integrated now (1655a9f5ab0956142d78a8795d491a9e836d1ad9). There are a few things to comments:

• /filespace/ r, # mountpoint. This should be appended locally in the @{MOUNTS} variable.
• owner @{HOME}/misc/name-redacted.png r, # opened with GIMP Need to be under a labelled path.
• In okular: owner @{HOME}/path/to/some.pdf r, Same, as long as the path is under a labelled path, it should work.
• akonadi_maildir_resource uses the @{user_mail_dirs} variable therefore @{user_share_dirs}/.local-mail.directory may have to be set into @{XDG_MAIL_DIR}.
• Regarding xdm-xsession's xinit script. You may need to add all special config on your local file. It may be a issue on a long term basis, as the goal is to provide a default set of policies that can be used with minimum configuration. Meanwhile, wayland don't use this kind of init script any-more.
• @{lib}exec/utempter/utempter ix -> @{lib}exec/utempter/utempter, # profile transition not found Isn't @{lib}/{,@{multiarch}/}utempter/utempter enough?
• You have some rules like:

  @{lib}/libheif/                     r,
  @{lib}/libheif/libheif-aomdec.so    mr,

  I think they should already be part of the base abstraction. However, they are currently not in it because they are inside libexec witch I think is not covered by default..

• In kioworker: @{HOME}/some/path/favicon-48x48.png r, # used as folder icon, configured via .directory file, kioworker has full access to owner @{HOME} already. I don't see how this could be needed for another user (unless this is run as root).
• libreoffice-soffice. In apparmor.d, the profile has been rewritten/simplified and is now named libreoffice. And your raised rules are already part of it.

I may have to update the configuration documentation page to expand the section about the list of variables that need to be configured.