So there is a tension here between users and security. There is no perfect solution. Allowing openvpn full access to all the users files has security implications, denying access has usability implications.
As unsatisfying as it is we are working towards a long term solution, but are not there yet. So what can be done now. Short term there are four solutions. 1. The user moves keys to the allowed default locations (what has led to this bug report) 2. Just give the profile full access to the users files (less secure) 3. disable the profile (even worse than 2) 4. enable aa-notify (sudo apt install apparmor-notify) Solution 4, is not currently enabled by default, but it could be in a future release (it would need to be added to the desktop seed). It provides the user a gui that will allow them to extend the profile, but is done after the denial. It is not ideal but better than the above shell command for most users. Long term the solution (which is a wip) is two fold: 1. For applications that support it, having them use a portal to gain access. With the portal being allowed to delegate the selected file to the application. This is the transparent solution, where the user gets the file dialogue as usual but it is not under the applications control. 2. For applications that can't support portals there is the permission prompting work, that is currently experimental (https://discourse.ubuntu.com/t/ubuntu-desktop-s-24-10-dev-cycle- part-5-introducing-permissions-prompting/47963). Instead of being an after the fact solution like aa-notify, the prompt pauses the application to get the users input. At the moment it is experimental and snap application only, but it can be opened up to non-snap applications in the future. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2098930 Title: openvpn profile doesn't allow access to files on home dir To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2098930/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
