[Apparmor-general] usr.X11R6.bin.acroread causes error message

[Crispin Cowan]

jesse michael wrote:
> logprof currently gets this wrong because it thinks that a superset of the
> required permissions is sufficient when it has to be exact-match instead.
>
> the exact-match requirement is a little unfortunate for the case where you
> have rules like--
>
>   /home/*/.adobe/** rwl,
>   /usr/X11R6/lib/Acrobat7/Reader/** r,
>
> because the permission for the files in the home directory has an additional
> w bit, creating links that point at the system directory will cause REJECT
> messages and the answer is to either (1) delete the "w" bit from the /home 
> rule or (2) add a "w" bit to the /usr rule.  
>
> going with option 1 will cause problems when the app wants to update config
> files in .adobe, but going with option 2 means that you're granting write 
> access to the system directory.  ick.
>   
So how about option (3): relax the module requirement to be a superset
of permissions instead of exact match? Can anyone remember why we
require an exact match? I.e. is there a semantic reason, or is it just a
bug?

Crispin

-- 
Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com
     Hacking is exploiting the gap between "intent" and "implementation"