[pkg-apparmor] Bug#918548: Bug#918548: About possibility to translate AppArmor tunables

Thu Jan 10 20:16:56 GMT 2019

On Mon, 07 Jan 2019, Ian Jackson wrote:

> Package: apparmor
> Version: 2.13.2-3
> Severity: serious
> 
> Vincas, thanks for reporting this bug on the debian-i18n list.
> I think it needs a much higher profile.
> 
> Vincas Dargis writes ("About possibility to translate AppArmor tunables"):
> > Let's look at one tunable file example. Currently, Debian and
> > upstream version of `/etc/apparmor.d/tunables/xdg-user-dirs` (from
> > apparmor package) have these contents:
> > 
> > ```
> > @{XDG_DESKTOP_DIR}="Desktop"
> ...
> > The problem is that on my machine, "Desktop" is actually "Darbastalis",
> 
> I think you mean "in your account" ?  I mean, if you had several users
> who used different languages, wouldn't their "Desktop" directory be
> called different things ?

Indeed...

> > ```
> > @{XDG_DESKTOP_DIR}+="Darbastalis" #lt
> > @{XDG_DESKTOP_DIR}+="Darbvirsma" #lv
> > @{XDG_DOWNLOAD_DIR}+="Atsisiuntimai" #lt
> > @{XDG_DOWNLOAD_DIR}+="Lejupielādes" #lv
> > ...
> > ```

> To the AppArmor maintainers:
> 
> I have filed this as `serious' not to try to force you to fix this,
> but because this bug seems like it will cause AppArmor to work badly
> for many people and I felt you would want me to be sure you noticed.
> So please adjust the severity as you like.

I don't have all the context since the bug only has part of the thread, but I
can say two things:

1. importantly, profiles are (currently) system wide so the @{XDG_*_DIR}
   apparmor variables should be adjusted for all languages the system's users
   use, otherwise policy using this variable will fail to work for any missing
   languages
2. the apparmor project supports distros and sysadmins by provided the
   /etc/apparmor.d/tunables/xdg-user-dirs file (conffile in Debian) and
   /etc/apparmor.d/tunables/xdg-user-dirs.d directory for managing the
   @{XDG_*_DIR} variables in the manner it appears the thread is describing.
   This is also discussed in the apparmor.d man page.

AppArmor the project currently does not provide any more support beyond this in
part because different distros handle language support differently and no one
has driven anything better.

With my distro-maintainer hat on, there is more than enough here to have a nice
story. I can imagine perhaps a dpkg trigger that would update file(s) in
/etc/apparmor.d/tunables/xdg-user-dirs.d based on language changes. Not having
a lot of experience with language support in Debian and its downstreams, I
can't offer anything more concrete, but there is definitely an opportunity to
do something nice here.

As for the seriousness of the bug, I'll let the Debian apparmor devs decide but
will say that this issue has been known for many years in Ubuntu where apparmor
is on by default and the current upstream mechanisms have proved 'ok enough'.
I'll speculate and say this probably has something to do with the fact that the
@{XDG_*_DIR} variables aren't widely used in system-shipped policy and what is
left is sysadmin created policy and if the sysadmin is writing the policy, the
man page is likely consulted.

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20190110/cd892860/attachment.sig>