From c5968c70d0f1bd3da9ed1a19b5a79748adbfd566 Mon Sep 17 00:00:00 2001
From: Jamie Strandboge <jamie@ubuntu.com>
Date: Mon, 9 Sep 2019 15:48:05 -0500
Subject: [PATCH] abstractions/fonts: don't allow write of fontconfig cache
 files

879531b36ec3dfc7f9b72475c68c30e4f4b7b6af changed access for
@{HOME}/.{,cache/}fontconfig/** to include 'w'rite. Fontconfig has been
a source of CVEs. Confined applications should absolutely have read
access, but write access could lead to breaking out of the sandbox if a
confined application can write a malformed font cache file since
unconfined applications could then pick them up and be controlled via
the malformed cache. The breakout is dependent on the fontconfig
vulnerability, but this is the sort of thing AppArmor is meant to help
guard against.
---
 profiles/apparmor.d/abstractions/fonts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/profiles/apparmor.d/abstractions/fonts b/profiles/apparmor.d/abstractions/fonts
index 561858466..2cf6bfe27 100644
--- a/profiles/apparmor.d/abstractions/fonts
+++ b/profiles/apparmor.d/abstractions/fonts
@@ -45,7 +45,7 @@
   owner @{HOME}/.local/share/fonts/**   r,
   owner @{HOME}/.fonts.cache-2          mr,
   owner @{HOME}/.{,cache/}fontconfig/   rw,
-  owner @{HOME}/.{,cache/}fontconfig/** mrwl,
+  owner @{HOME}/.{,cache/}fontconfig/** mrl,
   owner @{HOME}/.fonts.conf.d/          r,
   owner @{HOME}/.fonts.conf.d/**        r,
   owner @{HOME}/.config/fontconfig/     r,