profiles: add lock file permission to snap browsers (!1045) · Merge requests · AppArmor / apparmor

Georgia Garcia requested to merge georgiag/apparmor:snap-browsers-lock into master Jun 05, 2023

When opening snap browsers with evince using the snap_browsers abstraction, we get the following AppArmor denials which prevent the browsers from opening

audit: type=1400 audit(1685996894.479:225): apparmor="DENIED" operation="open" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=13282 comm="snap" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

audit: type=1400 audit(1685997517.142:259): apparmor="DENIED" operation="file_lock" class="file" profile="/usr/bin/evince//snap_browsers" name="/var/lib/snapd/inhibit/firefox.lock" pid=14200 comm="snap" requested_mask="k" denied_mask="k" fsuid=1000 ouid=0

This MR should be cherry-picked into 2.13, 3.0, 3.1

profiles: add lock file permission to snap browsers

Merge request reports