[apparmor] Bug#865206: apparmor: Should apparmor abstractions allow flatpak directories?
John Johansen
john.johansen at canonical.com
Sun Jul 2 00:22:31 UTC 2017
On 07/01/2017 04:41 PM, John Johansen wrote:
> On 07/01/2017 12:17 AM, Vincas Dargis wrote:
>> 2017.07.01 00:56, John Johansen wrote:
>>> For a tighter policy where enumerating other application etc is not
>>> allowed then we would want to block access. I don't think we can do
>>> that well with applications like firefox until support for delegation
>>> lands.
>>
>> Interesting, what is this mentioned "delegation" ?
>>
>
> Delegation will allow an application to delegate some of its authority
> (permissions) to other confined task.
>
> So for example an external file picker could be used to allow the user to
> choose files, and then delegate that access to firefox, so that the firefox
> profile does not need to be given broad access to the users directory.
>
> For various reasons stacking (think of it as the intersection of profiles
> and hence a way to reduce permissions) has had to land first. That has largely
> happened (4.13 will have most of what is needed) and hopefully the remaining
> issues will be landed by 4.14.
>
So just to flesh the answer out a little bit more, the documentation is
still very much a wip
stacking is very much intertwined with how apparmor is using policy
namespaces, so you will notice a fair bit of cross referencing between
the documentation of each
http://wiki.apparmor.net/index.php/AppArmorStacking
The delegation documentation is a lot rougher but there is start at
http://wiki.apparmor.net/index.php/AppArmorDelegation
More information about the AppArmor
mailing list