[pkg-apparmor] Bug#865206: [apparmor] Bug#865206: apparmor: Should apparmor abstractions allow flatpak directories?
John Johansen
john.johansen at canonical.com
Fri Jun 30 21:56:29 UTC 2017
On 06/30/2017 11:20 AM, intrigeri wrote:
> Control: tag -1 + upstream
>
> Hi Diane,
>
> Diane Trout:
>> I was updating my browser profiles and saw firefox was trying to load some
>> flatpak mime exports.
>
>> Should the apparmor profiles allow those?
>
> Good question, thanks for raising this topic. I'm redirecting this
> discussion to the upstream AppArmor mailing list, as I think it is not
> Debian-specific.
>
> Logs are at https://bugs.debian.org/865206.
>
So this very much depends on the policy style you want. The firefox
profile in its current form is very permissive. And I don't see a
problem adding them to it and an abstraction does seem the right place
to do it so
For a tighter policy where enumerating other application etc is not
allowed then we would want to block access. I don't think we can do
that well with applications like firefox until support for delegation
lands. At which point we are going to have to either reworking the
reference policy or splitting it into different types dependent on
your wants/needs.
More information about the pkg-apparmor-team
mailing list