[apparmor] What to do about bubblewrap started from apps confined with AppArmor?
Simon McVittie
smcv at collabora.com
Wed Sep 20 15:50:02 UTC 2017
On Wed, 20 Sep 2017 at 16:53:19 +0200, intrigeri wrote:
> Simon McVittie:
> > I'm surprised this works. bwrap is an "adverb" like chroot/sudo/env, so
> > I would expect it to want to execute the wrapped thumbnailer?
>
> Same here! It would be awesome if someone investigated why/how exactly
> Totem now uses bwrap.
I don't see any mentions of bwrap in totem's source code, so presumably
it's via gnome-desktop3, which now wraps thumbnailers with bwrap
(libgnome-desktop/gnome-desktop-thumbnail-script.c). That would mean it's
executing some thumbnailer listed in the Exec line of one of the files
matching /usr/share/thumbnailers/*.thumbnailer, most likely
totem-video-thumbnailer.
So I'm surprised it could work without the bwrap child profile
having "/usr/bin/totem-video-thumbnailer Pix" or something (and perhaps
other thumbnailers but Totem's own is the main one).
smcv
More information about the AppArmor
mailing list