[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Let's enable AppArmor by default (why not?)

Hi Carsten,

thanks for your reply!

On 10/31/2017 07:54 AM, Carsten Schoenert wrote:
> For Thunderbird intrigeri and myself came to the conclusion that
> especially for the apparmor profile someone from the apparmor team
> should be able to contribute changes to the profile directly to the git
> tree. So intrigeri has become a member of the pkg-mozilla group to be
> able to push changes by himself. I trust intrigeri enough that he will
> do good contributions. For now it's the best we can do. This at all is
> for sure improvable and we should talk about this on upcoming Debian
> events or directly via email.

Okay, filed the bugs, lets see where they go. :) I was especially
concerned about the browser part.

> ...
>> [1] e.g.
>> [ 3459.624852] audit: type=1400 audit(1509283082.571:59):
>> apparmor="DENIED" operation="file_inherit" profile="thunderbird//gpg"
>> name="/usr/share/thunderbird/omni.ja" pid=24720 comm="gpg2"
>> requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

Filed as #880425[1].

>> [2] e.g.
>> [ 3795.153239] audit: type=1400 audit(1509283418.100:64):
>> apparmor="DENIED" operation="exec" profile="thunderbird"
>> name="/opt/google/chrome-beta/google-chrome-beta" pid=31896
>> comm="thunderbird" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

Filed as #880424[0]. I think there is a deeper question here as to how
to handle the browser abstraction for AppArmor in general.

> I suggest to open a bug report for each of such issues against
> thunderbird with a description what was done and what was expected.

As above. :)

Kind regards and thanks
Philipp Kern

[0] https://bugs.debian.org/880424
[1] https://bugs.debian.org/880425

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: