[Pkg-privacy-maintainers] Glycin vs. AppArmor: fix available in sid
Vincent Lefevre
vincent at vinc17.net
Mon Jun 1 15:36:51 BST 2026
Hi,
I'm taking the example of LibreOffice below, but other apps may
be in the same case. Note that I'm just an end user.
On 2026-06-01 14:06:44 +0200, intrigeri wrote:
> I've tried to Cc all interested parties. Please consider trimming down
> the list of Cc upon reply, thanks!
>
> Thanks to the work by Aaron Rainbolt, the apparmor.d project, and
> multiple other AppArmor contributors, we now have a way to allow an
> AppArmor-confined app to use Glycin's bwrap-based sandboxing
> mechanism. I understand the chosen approach has some drawbacks which
> I don't full understand, but it does seem to work.
Thanks a lot for the work, but...
> To do so, ensure the app's profile has this line:
>
> include if exists <abstractions/glycin>
The issue is that, if you really mean the app and not the software
that uses Glycin, LibreOffice does *not* use Glycin directly, and
I suppose that it does not even know that Glycin will be used:
here, Glycin is used via the GDK Pixbuf library (a.k.a. gdk-pixbuf).
And perhaps gdk-pixbuf may no longer use Glycin in the future. So it
would be strange if the libreoffice package had to add this line.
So, how should the above line be added? Some kind of double
inclusion (the app's profile → gdk-pixbuf → abstractions/glycin)?
Or some automatic way for Glycin to add such a line to the profiles
of the apps via some kind of mechanism?
--
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / Pascaline project (LIP, ENS-Lyon)
More information about the Pkg-privacy-maintainers
mailing list