[pkg-apparmor] Bug#1127935: evince: AppArmor profile doesn't allow running bwrap
intrigeri
intrigeri at debian.org
Tue Feb 24 15:55:11 GMT 2026
Hi,
Simon McVittie (2026-02-20):
> Any package that has a non-trivial AppArmor profile and uses gdk-pixbuf,
> such as papers, will need something similar. Perhaps the AppArmor team
> could help to generalize this into something that isn't a sandbox
> escape, and doesn't require something this extensive in every affected
> package?
If we determine it's worth the effort (#1128767), yes, I'm happy to
help (which could include trying to pull more skilled people and
coordinating the work).
A good next step could be to check if we have affected packages whose
policy is useful enough to be worth the effort. I'm adding this to my
list. Either I find time for it tomorrow or it'll have to wait until
mid-March, so help is welcome.
> (I do find myself wondering whether the AppArmor profiles for evince and
> papers actually protect us against anything: they allow enough things
> that I imagine there's probably at least one sandbox escape available
> already. Identifying and isolating the particularly high-risk parts,
> like glycin does, or isolating entire apps, like Flatpak does, are
> probably better ways in the long term.)
+1
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list