[apparmor] What to do about bubblewrap started from apps confined with AppArmor?

intrigeri intrigeri at debian.org
Wed Sep 20 11:15:20 UTC 2017


on current Debian sid, Totem tries to use bubblewrap (/usr/bin/bwrap).
I've not investigated why yet but I suspect it's part of the GNOME
project's much welcome effort to sandbox dangerous things
like thumbnailers.

bubblewrap sets up Linux namespaces and other stuff that makes it
essentially need full admin access, which is kinda by design for this
kind of sandboxing wrappers (not sure if userns would change anything
to that, anyway that's off-topic right now).

To give you a better idea,here's a named profile suitable for:

  /usr/bin/bwrap Cx -> bwrap,

… that's enough to get rid of all bwrap-related AppArmor errors in my
logs when using Totem:

  profile bwrap flags=(attach_disconnected) {
    #include <abstractions/base>

    capability net_admin,
    capability setgid,
    capability setpcap,
    capability setuid,
    capability sys_admin,
    capability sys_chroot,

    @{PROC}/@{pid}/mountinfo r,
    @{PROC}/@{pid}/fd/ r,
    owner @{PROC}/@{pid}/setgroups rw,
    owner @{PROC}/@{pid}/{gid,uid}_map rw,
    @{PROC}/sys/kernel/overflow{gid,uid} r,

    /run/user/[0-9]*/.bubblewrap/{old,new}root/ rw,
    /run/user/[0-9]*/.bubblewrap/{old,new}root/usr/ rw,

    /{old,new}root/** rw,

    /usr/bin/bwrap mr,

At this point I wonder if it's worth our time to write and maintain
a profile for /usr/bin/bwrap. My current take of it is: probably not.

I'll send a merge request later today that allows Totem to run bwrap
in a fully unconfined manner; this should be good enough at least on
the short term, and I think only Debian ships this profile so far so
perhaps most list subscribers don't care much. But I bet this
situation will occur again in more commonly used profiles, so let's
make up our mind about it now :)



More information about the AppArmor mailing list