[pkg-apparmor] Bug#786904: evince-common: allow reading TTF files from anywhere in apparmor
intrigeri
intrigeri at debian.org
Thu May 28 08:05:26 UTC 2015
Control: severity -1 wishlist
Control: tag -1 wontfix
Hi,
>> please allow evince to read TTF fonts wherever they may be. With the current
>> apparmor profile, symlink-ing a TTF font from another partition into
>> /usr/share/fonts leads to unusable evince menus (empty squares instead of
>> characters).
>> It' a real easy fix: in /etc/apparmor.d/abstractions/evince, right after the
>> **.[bB][mM][pP] & company add
>>
>> /**.[tT][tT][fF] r, # fonts can live anywhere
Note that the corresponding AppArmor policy lives in the "fonts"
abstraction, that is used by virtually all profiles that confine GUI
applications. That abstraction already supports installing additional
fonts locally e.g. in /usr/local/share/fonts/ and in ~/.fonts/, so
administrators have plenty of ways to make such fonts available in
a way that works just fine with AppArmor. Also, in general I don't
think we should make AppArmor policies support random places where
people might be symlinking stuff to: this would quickly lead to
profiles that are wide-open and hard to audit.
The easiest solutions, for an administrator, are to use mounts or
bind-mounts (as opposed to symlinks), or to add the additional access
they want to grant Evince in /etc/apparmor.d/local/usr.bin.evince :)
So I'm tagging this bug wontfix. Now, perhaps I missed something, and
of course this decision can be discussed/revisited.
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list