[pkg-apparmor] Interest in backporting AppArmor 5 to Trixie once released?
Aaron Rainbolt
arraybolt3 at gmail.com
Fri Apr 10 02:33:31 BST 2026
On Thu, 09 Apr 2026 11:53:02 +0200
intrigeri <intrigeri at debian.org> wrote:
> Hi Aaron,
>
> intrigeri (2026-04-01):
> > Aaron Rainbolt (2026-03-31):
> >> On Tue, 31 Mar 2026 13:43:20 +0200
> >> intrigeri <intrigeri at debian.org> wrote:
>
> >>> - Help with the current Glycin + bwrap vs. AppArmor mess
> >>> (starting point: #1127935, I can provide more context and
> >>> point to what I think would be the best solution, if desired; the
> >>> next item on this list can also help determine how much effort
> >>> this is worth)
> >>
> >> That looks interesting. Whonix currently uses loupe as our image
> >> viewer specifically because it uses Glycin which provides
> >> sandboxed rendering, so getting that working right upstream sounds
> >> like something we should do.
> >
> > OK, then this would be, by far, the best way to support my AppArmor
> > work at the moment, as it's the hottest topic, probably needs a few
> > hours of work, and I don't seem to find them.
> >
> > The way I would approach it would be to provide a set of profiles
> > that apps profile can use for this. I would start from
> > https://github.com/roddhjav/apparmor.d/tree/main/apparmor.d/namespaces/glycin,
> > i.e. the namespace version of their solution, that works for
> > processes even if they have NNP set, and adjust this as needed for
> > usage outside of roddhjav/apparmor.d.
> >
> > For inspiration, I've done something similar already there, albeit
> > without using the namespace version (which only works for processes
> > that don't have NNP set):
> > https://gitlab.torproject.org/tpo/applications/torbrowser-launcher/-/merge_requests/42
> >
> > I would propose this new set of profiles upstream and backport to
> > Debian. I would use different profile & file names from
> > roddhjav/apparmor.d's to avoid conflicts.
> >
> > For more context, background, and inspiration:
> >
> > - https://apparmor.pujol.io/development/internal/#no-new-privileges
> > - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127671
> > - https://github.com/roddhjav/apparmor.d/issues/881
> > -
> > https://salsa.debian.org/gnome-team/extras/evince/-/merge_requests/10
> >
>
> Did you get an opportunity to look into this?
Not yet, got slammed by a bunch of code review tasks and some
vulnerability bug reporting stuff. It's not fallen off my todo list, I
will get to it as soon as I reasonably can.
--
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20260409/fb830e52/attachment.sig>
More information about the pkg-apparmor-team
mailing list