[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Let's enable AppArmor by default (why not?)

On 08/05/2017 01:31 AM, intrigeri wrote:
> What's the cost for package maintainers?
> ----------------------------------------
> For most of them: none at all. As said earlier, our AppArmor policy
> does not cover that much software yet.

So how will bug reports work? For instance I turned it on and now I see
a bunch of warnings[1] from Thunderbird and a bunch of actual failures
when opening links (which is completely broken), because Thunderbird
cannot exec google-chrome-beta. What about integration issues where a
browser should be able to register itself as a browser and hence be
available from applications that try to open links?

Right now thunderbird's profile is owned by thunderbird. Is
thunderbird's maintainer expected to deal with all of these issues?
Should there be some kind of tool where the apparmor team could
aggregate the updates? (I.e. routinely review denies?)

Kind regards
Philipp Kern

[1] e.g.
[ 3459.624852] audit: type=1400 audit(1509283082.571:59):
apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg"
name="/usr/share/thunderbird/omni.ja" pid=24720 comm="gpg2"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

[2] e.g.
[ 3795.153239] audit: type=1400 audit(1509283418.100:64):
apparmor="DENIED" operation="exec" profile="thunderbird"
name="/opt/google/chrome-beta/google-chrome-beta" pid=31896
comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: