[pkg-apparmor] Bug#802791: apparmor-profiles-extra: AppArmor profile prevents pidgin from starting

[intrigeri]

Control: tag -1 + confirmed upstream patch

Hi,

Kjö Hansi Glaz wrote (28 Oct 2015 18:40:04 GMT) :
> The following snippet is enough to make pidgin start on my sid system:

That's a good starting point. Thanks!

I'll propose modified versions and will bother explaining why, so you
folks get to learn something in the process (and I personally become
less of a blocker). My proposals may be wrong, introduce other
problems, or not work for you ⇒ please test, provide feedback, and
argue as needed.

> owner @{HOME}/.cache/gstreamer-1.0/registry.x86_64.bin r,

Let's support more than 1.0, more than just x86_64, and also systems
where the registry hasn't been initialized yet and must be created:

  owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/ rw,
  owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,

> /usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner r,

Let's instead use the dedicated named profile we already have (we
don't want/need to give gst-plugin-scanner access to everything Pidgin
has access to):

  /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner Cix -> gst_plugin_scanner,

... which itself highlights the fact that the gst_plugin_scanner
profile needs an update, but this doesn't prevent Pidgin from starting
so is off-topic here (and the registry is initialized if it wasn't
there yet); the Totem profiles might need updates as well.

With these three lines added my Pidgin starts.

These changes need to be submitted upstream there:

  http://bazaar.launchpad.net/~apparmor-dev/apparmor-profiles/master/

... and then they can be applied to apparmor-profiles-extra (no need
to wait for upstream's ACK, as long as we reference the merge request
in README.Debian).

There's good documentation on how to do all that on the Debian wiki.

Cheers,
-- 
intrigeri