[apparmor] [Merge] ~intrigeri/apparmor-profiles/+git/apparmor-profiles:gnome-3.26 into apparmor-profiles:master
Steve Beattie
sbeattie at ubuntu.com
Thu Oct 26 05:28:33 UTC 2017
Review: Approve
Can PUx be used for bwrap instead, to scrub the environment before invoking bubblewrap? Unconfined execution without environment scrubbing (of e.g. LD_LIBRARY_PATH) is really problematic.
Otherwise, looks good to me. I'm merging with the following changes
- convert bwrap permission to scrub environment variables (PUx)
- add "owner @{HOME}/.cache/totem/ rw," to the totem abstraction, to cover the additional rejection Vincas reported.
If it turns out bwrap really does need unfiltered environment variables, then please report back and we can adjust.
Thanks!
--
https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/332769
Your team AppArmor Developers is subscribed to branch apparmor-profiles:master.
More information about the AppArmor
mailing list