After a discussion with Alex Murray and John Johansen, we decided on the following OpenVPN policy adjustments: - allowing writes to files in the /etc/openvpn, and not just reads - allowing reads to most of the home directories - allowing writes to most of the home directories, with an owner restriction (which would allow the genkey write case while blocking an OpenVPN daemon running as root from covertly overwriting user-owned keys)
where "most of the home directories" refers to including the private- files-strict abstraction (https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/abstractions/private- files-strict?ref_type=heads) and adding a carveout to allow writes inside .config. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2098930 Title: openvpn profile doesn't allow access to files on home dir To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2098930/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
