[Pkg-privacy-maintainers] Glycin vs. AppArmor: fix available in sid
intrigeri
intrigeri at debian.org
Mon Jun 1 13:06:44 BST 2026
Hi,
I've tried to Cc all interested parties. Please consider trimming down
the list of Cc upon reply, thanks!
Thanks to the work by Aaron Rainbolt, the apparmor.d project, and
multiple other AppArmor contributors, we now have a way to allow an
AppArmor-confined app to use Glycin's bwrap-based sandboxing
mechanism. I understand the chosen approach has some drawbacks which
I don't full understand, but it does seem to work.
To do so, ensure the app's profile has this line:
include if exists <abstractions/glycin>
On systems that lack this abstraction (e.g. Trixie or older
testing/sid), this will be a no-op.
On systems that do have this abstraction (i.e. apparmor >= 4.1.7-3
which I've just uploaded), this should fix the problem tracked in the
bug reports I've sending this email to. If it doesn't, please let
me know!
I intend to do that work upstream for torbrowser-launcher.
I can't commit to do it for other packages.
Thanks a lot for your patience,
--
intrigeri
More information about the Pkg-privacy-maintainers
mailing list