profiles: add lock file permission to snap browsers

When opening snap browsers with evince using the snap_browsers abstraction, we get the following AppArmor denials which prevent the browsers from opening audit: type=1400 audit(1685996894.479:225): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=13282 comm="snap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 audit: type=1400 audit(1685997517.142:259): apparmor="DENIED" operation="file_lock" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=14200 comm="snap" requested_mask="k" denied_mask="k" fsuid=1000 ouid=0 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
2025-09-02 07:15:18 +00:00 · 2023-06-05 17:32:44 -03:00
parent 8d6358fa6d
commit daec4bc82a
1 changed files with 1 additions and 0 deletions
--- a/profiles/apparmor.d/abstractions/snap_browsers
+++ b/profiles/apparmor.d/abstractions/snap_browsers
@@ -38,5 +38,6 @@ profile snap_browsers {
  /snap/opera/[0-9]*/meta/{snap.yaml,hooks/} r,

  /var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
+  /var/lib/snapd/inhibit/{chromium,firefox,opera}.lock rk,
  # add other browsers here
 }