[pkg-apparmor] Interest in backporting AppArmor 5 to Trixie once released?
intrigeri
intrigeri at debian.org
Thu Apr 9 10:53:02 BST 2026
Hi Aaron,
intrigeri (2026-04-01):
> Aaron Rainbolt (2026-03-31):
>> On Tue, 31 Mar 2026 13:43:20 +0200
>> intrigeri <intrigeri at debian.org> wrote:
>>> - Help with the current Glycin + bwrap vs. AppArmor mess
>>> (starting point: #1127935, I can provide more context and point to
>>> what I think would be the best solution, if desired; the next item
>>> on this list can also help determine how much effort this is worth)
>>
>> That looks interesting. Whonix currently uses loupe as our image viewer
>> specifically because it uses Glycin which provides sandboxed rendering,
>> so getting that working right upstream sounds like something we should
>> do.
>
> OK, then this would be, by far, the best way to support my AppArmor
> work at the moment, as it's the hottest topic, probably needs a few
> hours of work, and I don't seem to find them.
>
> The way I would approach it would be to provide a set of profiles that
> apps profile can use for this. I would start from
> https://github.com/roddhjav/apparmor.d/tree/main/apparmor.d/namespaces/glycin,
> i.e. the namespace version of their solution, that works for processes
> even if they have NNP set, and adjust this as needed for usage outside
> of roddhjav/apparmor.d.
>
> For inspiration, I've done something similar already there, albeit
> without using the namespace version (which only works for processes
> that don't have NNP set):
> https://gitlab.torproject.org/tpo/applications/torbrowser-launcher/-/merge_requests/42
>
> I would propose this new set of profiles upstream and backport to
> Debian. I would use different profile & file names from
> roddhjav/apparmor.d's to avoid conflicts.
>
> For more context, background, and inspiration:
>
> - https://apparmor.pujol.io/development/internal/#no-new-privileges
> - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127671
> - https://github.com/roddhjav/apparmor.d/issues/881
> - https://salsa.debian.org/gnome-team/extras/evince/-/merge_requests/10
Did you get an opportunity to look into this?
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list