[pkg-apparmor] Bug#865206: [apparmor] Bug#865206: apparmor: Should apparmor abstractions allow flatpak directories?

Simon McVittie smcv at collabora.com
Fri Jun 30 19:16:38 UTC 2017


On Fri, 30 Jun 2017 at 20:20:33 +0200, intrigeri wrote:
> Diane Trout:
> > I was updating my browser profiles and saw firefox was trying to load some
> > flatpak mime exports.
> 
> > Should the apparmor profiles allow those?

Anything in /var/lib/flatpak/exports/share or
~/.local/share/flatpak/exports/share is essentially equivalent to
the corresponding path in /usr/{local/,}share, and is something
that has deliberately been "exported" to the rest of the system by a
Flatpak-confined app. The most common thing to "export" is the
app's .desktop file, so that it can be included in menus, considered
as a potential MIME-type or URI-scheme handler and so on.

The only reason to prevent reading those directories would be if you do
not want the AppArmor-confined app to be able to enumerate the other
software you have installed on your system, as an anti-fingerprinting
mechanism.

    S



More information about the pkg-apparmor-team mailing list