[pkg-apparmor] Bug#980154: apparmor: abstractions/X: allow X11 apps access to /run/user/@{UID}/ICEauthority

[Paul Wise]

Package: apparmor
Version: 2.13.6-3
Severity: normal
File: /etc/apparmor.d/abstractions/X
Usertags: warnings

X11 applications seem to now access /run/user/@{UID}/ICEauthority in
addition to @{HOME}/.ICEauthority and GNOME Wayland only seems to
create the former rather than the latter. So currently X11 applications
with apparmor support in complain mode leave warnings in the logs and
presumably will not start properly in enforce mode.

Jan 15 18:20:26 audit[864810]: AVC apparmor="ALLOWED" operation="open" profile="/usr/bin/pidgin" name="/run/user/1000/ICEauthority" pid=864810 comm="pidgin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing-debug
  APT policy: (900, 'testing-debug'), (900, 'testing'), (800, 'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-1-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apparmor depends on:
ii  debconf [debconf-2.0]  1.5.74
ii  libc6                  2.31-9
ii  lsb-base               11.1.0
ii  python3                3.9.1-1

apparmor recommends no packages.

Versions of packages apparmor suggests:
ii  apparmor-profiles-extra  1.30
ii  apparmor-utils           2.13.6-3

-- 
bye,
pabs

https://wiki.debian.org/PaulWise
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20210115/616cbe7a/attachment.sig>