[apparmor] Bug#865206: apparmor: Should apparmor abstractions allow flatpak directories?
Simon McVittie
smcv at collabora.com
Fri Jun 30 19:16:38 UTC 2017
On Fri, 30 Jun 2017 at 20:20:33 +0200, intrigeri wrote:
> Diane Trout:
> > I was updating my browser profiles and saw firefox was trying to load some
> > flatpak mime exports.
>
> > Should the apparmor profiles allow those?
Anything in /var/lib/flatpak/exports/share or
~/.local/share/flatpak/exports/share is essentially equivalent to
the corresponding path in /usr/{local/,}share, and is something
that has deliberately been "exported" to the rest of the system by a
Flatpak-confined app. The most common thing to "export" is the
app's .desktop file, so that it can be included in menus, considered
as a potential MIME-type or URI-scheme handler and so on.
The only reason to prevent reading those directories would be if you do
not want the AppArmor-confined app to be able to enumerate the other
software you have installed on your system, as an anti-fingerprinting
mechanism.
S
More information about the AppArmor
mailing list