[apparmor] [Merge] lp:~serge-hallyn/apparmor-profiles/apparmor-profiles into lp:apparmor-profiles
Seth Arnold
seth.arnold at canonical.com
Thu Apr 14 18:52:40 UTC 2016
While this is certainly better than no profile, there's a lot of fairly
wide permissions added:
+ /usr/lib/** r,
+ /lib/** r,
+ /usr/share/** r,
<abstractions/base> ought to include a huge number of libraries already --
what else was needed in /usr/lib, /lib, /usr/share?
+ /etc/* r,
+ unix (create, connect, receive),
+ /run/** rw,
These just seem too wide by a lot -- what's it doing with unix sockets?
Can that be reduced via peer=(label=..) rules? Which files in /etc/ did it
need? Can /run/ be constrained by uid or user or at least the 'owner'
qualifier?
+ /dev/null rw,
+ network inet,
Heh I'm surprised these were needed explicitly.
Any chance this could be closed a bit further?
Thanks
--
https://code.launchpad.net/~serge-hallyn/apparmor-profiles/apparmor-profiles/+merge/291919
Your team AppArmor Developers is requested to review the proposed merge of lp:~serge-hallyn/apparmor-profiles/apparmor-profiles into lp:apparmor-profiles.
More information about the AppArmor
mailing list