[pkg-apparmor] "WARNING: Glycin running without sandbox" when AppArmor profile doesn't allow the sandbox to work
intrigeri
intrigeri at debian.org
Tue Feb 24 15:59:31 GMT 2026
Hi,
Simon McVittie (2026-02-22):
> For the other affected apps such as libreoffice and papers, I think the
> solution will have to involve either extending their AppArmor profiles
> so that the sandboxed image loaders can work (if the AppArmor profile is
> providing value), or removing/disabling the AppArmor profile (if it
> isn't practically helpful to mitigate/prevent attacks and is only
> causing us problems).
IIRC I've seen a comment somewhere in a discussion on an issue or PR
in the https://github.com/roddhjav/apparmor.d/ project that said it
was possible to force Glycin to turn off its sandboxing, by denying
1 of the access it was using on startup to check if sandboxing
was possible.
This is clearly a poor long-term choice, but if a 1-liner quick fix
implements this (bringing us back to where we were 2 weeks ago in
terms of security and bugs), it might buy us some time while we figure
out how we want to approach the whole thing.
I'll try to find this workaround tomorrow.
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list