|
On 03.12.2017 02:57, Ben Caradoc-Davies
wrote:
On
02/12/17 23:43, Alexander V. Makartsev wrote:
Now, when I hit this buggy profile
problem, I'm thinking about how to
deal with these problems in the future for other applications.
After consulting AppArmor manual I have not found any reference
about
how to override AppArmor profile.
All profiles are placed in "/etc/apparmor.d/" and that is it, so
the
only options are either disable misbehaving AppArmor profile or
modify
it which is bad option because this is package shipped profile.
For an example, systemd unit-files could be easily overridden
without
resorting to modification of package shipped unit-files.
I this possible for AppArmor?
Yes, there is aa-complain in the apparmor-utils packages, but this
was itself buggy when I used it for thunderbird:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882047
Kind regards,
If I understood this correctly, aa-complain will only switch profile
to "complain mode"(log, but don't block). This is effectively the
same as disabling the profile, which is not a good solution.
"aa-complain" is useful for debugging and writing my own profiles,
but it won't be as useful when partially broken profile is coming
from package, because any user-modifications will be over-written
after package updates.
--
With kindest regards, Alexander.
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀⠀⠀⠀
|