abstractions/X: Allow (only) reading X compose cache

... (/var/cache/libx11/compose/*), and deny any write attempts Reported by darix, https://git.nordisch.org/darix/apparmor-profiles-nordisch/-/blob/master/apparmor.d/teams MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/685 (cherry picked from commit 78bd811e2a23f55974991cd208f6a17749655c21) Signed-off-by: John Johansen <john.johansen@canonical.com>
2025-08-22 01:57:43 +00:00 · 2020-11-16 20:42:00 +01:00 · 2020-11-16 20:42:00 +01:00 · 085d4cd0e2
commit 085d4cd0e2
parent f305bb1831
1 changed files with 2 additions and 0 deletions
--- a/profiles/apparmor.d/abstractions/X
+++ b/profiles/apparmor.d/abstractions/X
@ -55,6 +55,8 @@

  # Xcompose
  owner @{HOME}/.XCompose         r,
+  /var/cache/libx11/compose/*     r,
+  deny /var/cache/libx11/compose/* wlk,

  # mouse themes
  /etc/X11/cursors/               r,