Bug#846966: [pkg-apparmor] Bug#846966: evince: Please make the AppArmor profile support merged-/usr systems
Michael Biebl
email at michaelbiebl.de
Mon Dec 5 12:51:25 UTC 2016
Am 05.12.2016 um 09:57 schrieb intrigeri:
> Michael Biebl:
>> Somehow this feels like it should be solved within apparmor itself by
>> resolving symlinks.
>
> Thanks for thinking about it. Perhaps I've misunderstood what you
> mean, so here's my take on it. We need this patch precisely because
> AppArmor resolves symlinks: when Evince runs /bin/gzip, that's
> effectively a symlink to /usr/bin/gzip on a merged-/usr system, the
> path AppArmor takes into account is /usr/bin/gzip.
Mind you, that I don't know how apparmor actually works.
This is my idea basically: say you have a apparmor profile which
contains /bin/foo.
When that profile file is read by the apparmor profile parser, you check
for symlinks in those paths.
The parser notices on a merged user system that /bin is a path to
/usr/bin, so it adds /bin/foo and /usr/bin/foo on the whitelist.
--
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20161205/561bff96/attachment.sig>
More information about the pkg-gnome-maintainers
mailing list