From 2f3c4574eca7a41c78e291b30564e0a258b11a51 Mon Sep 17 00:00:00 2001
From: Jose Maldonado aka Yukiteru <josemald89@gmail.com>
Date: Mon, 6 May 2024 17:56:16 -0400
Subject: [PATCH] Fix access to thumbnail cache dirs in abstractions

gsd-housekeepin in GNOME have access to @{user_cache_dirs} for
searching thumbnail files and executing one task
for cleaning these files every day.

The actual abstractions/thumbnails-cache-write fail in granted
this access, specially to various folders in
the thumbnail cache (ex: fail folder).

These changes fix this access. For convenience
abstractions/thumbnails-cache-read, have the same access
structure also for files/folders, but only read permissions.
---
 apparmor.d/abstractions/thumbnails-cache-read  | 10 +++++++---
 apparmor.d/abstractions/thumbnails-cache-write | 12 +++++++-----
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/apparmor.d/abstractions/thumbnails-cache-read b/apparmor.d/abstractions/thumbnails-cache-read
index 916a08c42..b99559e1d 100644
--- a/apparmor.d/abstractions/thumbnails-cache-read
+++ b/apparmor.d/abstractions/thumbnails-cache-read
@@ -4,7 +4,11 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
   owner @{user_cache_dirs}/thumbnails/ r,
-  owner @{user_cache_dirs}/thumbnails/{*large,normal}/ r,
-  owner @{user_cache_dirs}/thumbnails/{*large,normal}/*.png r,
+  owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ r,
+  owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ r,
+  owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/*.png r,
+  owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png r -> @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int},
+  owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png.@{rand6} r,
+  owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int} r,
 
-  include if exists <abstractions/thumbnails-cache-read.d>
\ No newline at end of file
+  include if exists <abstractions/thumbnails-cache-read.d>
diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write
index ac1c02c54..5bcca4d4b 100644
--- a/apparmor.d/abstractions/thumbnails-cache-write
+++ b/apparmor.d/abstractions/thumbnails-cache-write
@@ -4,9 +4,11 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
   owner @{user_cache_dirs}/thumbnails/ rw,
-  owner @{user_cache_dirs}/thumbnails/{large,normal}/ rw,
-  owner @{user_cache_dirs}/thumbnails/{large,normal}/*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int},
-  owner @{user_cache_dirs}/thumbnails/{large,normal}/*.png.@{rand6} rw,
-  owner @{user_cache_dirs}/thumbnails/{large,normal}/#@{int} rw,
+  owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ rw,
+  owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ rw,
+  owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/*.png rw,
+  owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png rwl -> @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int},
+  owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/*.png.@{rand6} rw,
+  owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/#@{int} rw,
 
-  include if exists <abstractions/thumbnails-cache-write.d>
\ No newline at end of file
+  include if exists <abstractions/thumbnails-cache-write.d>