[pkg-apparmor] Bug#918548: About possibility to translate AppArmor tunables

Ian Jackson ijackson at chiark.greenend.org.uk
Mon Jan 7 11:30:41 GMT 2019 

Package: apparmor
Version: 2.13.2-3
Severity: serious

Vincas, thanks for reporting this bug on the debian-i18n list.
I think it needs a much higher profile.

Vincas Dargis writes ("About possibility to translate AppArmor tunables"):
> Let's look at one tunable file example. Currently, Debian and
> upstream version of `/etc/apparmor.d/tunables/xdg-user-dirs` (from
> apparmor package) have these contents:
> 
> ```
> @{XDG_DESKTOP_DIR}="Desktop"
...
> The problem is that on my machine, "Desktop" is actually "Darbastalis",

I think you mean "in your account" ?  I mean, if you had several users
who used different languages, wouldn't their "Desktop" directory be
called different things ?

> ```
> @{XDG_DESKTOP_DIR}+="Darbastalis" #lt
> @{XDG_DESKTOP_DIR}+="Darbvirsma" #lv
> @{XDG_DOWNLOAD_DIR}+="Atsisiuntimai" #lt
> @{XDG_DOWNLOAD_DIR}+="Lejupielādes" #lv
> ...
> ```

These are interesting ideas.  I don't know enough to say if they would
work.

> Though I am not sure how that could be achieved, hence I ask this
> list for guidance.

I think this requires some technical input from the AppArmor folks.
I see you CC'd the uploader already but I think this is a bug and
should be tracked in the Debian BTS.


I have set the bug to `serious' because of this impact as described by
Vincas:

> if AppArmor profile for application "Foo" defines rule
> `@{XDG_DESKTOP_DIR}/** r,` to allow reading from desktop, it will
> not work for my localized desktop directory name.

That is phrased hypothetically but I imagine it is common.  That kind
of thing is after all what these rules are there fore.

To the AppArmor maintainers:

I have filed this as `serious' not to try to force you to fix this,
but because this bug seems like it will cause AppArmor to work badly
for many people and I felt you would want me to be sure you noticed.
So please adjust the severity as you like.

I hope everyone finds my intervention helpful.

Regards,
Ian.

-- 
Ian Jackson <ijackson at chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

More information about the pkg-apparmor-team mailing list