[apparmor] Bug#865206: apparmor: Should apparmor abstractions allow flatpak directories?
John Johansen
john.johansen at canonical.com
Sat Jul 1 23:41:26 UTC 2017
On 07/01/2017 12:17 AM, Vincas Dargis wrote:
> 2017.07.01 00:56, John Johansen wrote:
>> For a tighter policy where enumerating other application etc is not
>> allowed then we would want to block access. I don't think we can do
>> that well with applications like firefox until support for delegation
>> lands.
>
> Interesting, what is this mentioned "delegation" ?
>
Delegation will allow an application to delegate some of its authority
(permissions) to other confined task.
So for example an external file picker could be used to allow the user to
choose files, and then delegate that access to firefox, so that the firefox
profile does not need to be given broad access to the users directory.
For various reasons stacking (think of it as the intersection of profiles
and hence a way to reduce permissions) has had to land first. That has largely
happened (4.13 will have most of what is needed) and hopefully the remaining
issues will be landed by 4.14.
More information about the AppArmor
mailing list