[apparmor] [Merge] ~talkless/apparmor-profiles:fix-thunderbird-attachements into apparmor-profiles:master
Simon Déziel
simon.deziel at gmail.com
Thu Oct 26 19:51:59 UTC 2017
> On 2017.10.26 20:10, Simon Déziel wrote:
> > They only way to have evince locked in its own profile was to explicitly add
> > "/usr/bin/evince Px," to the TB profile. Add that same line to abstractions
> > /ubuntu-helpers didn't work.
>
> abstractions/ubuntu-helpers is basically (ignoring comments)
>
> profile sanitized_helper {
> [...]
> }
>
> My guess is that you added the evince Px rule inside sanitized_helper, but
> you'd need to add it outside of it (well, unless you want to apply it to the
> case "a program running under sanitized_helper starts evince" ;-)
Yes, you've spot my error :)
> That said - IMHO abstractions/ubuntu-helpers should stay as is, and such Px
> rules should go into a separate abstraction which users of sanitized_helper
> could or could not include.
It makes sense and I proposed this in LP: #1042771 for Firefox. For TB, simply
adding "/usr/bin/evince Px," would work. Vincas do you want to add that here or
should I send another MP?
--
https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/332870
Your team AppArmor Developers is requested to review the proposed merge of ~talkless/apparmor-profiles:fix-thunderbird-attachements into apparmor-profiles:master.
More information about the AppArmor
mailing list