[apparmor] What to do about bubblewrap started from apps confined with AppArmor?

Seth Arnold seth.arnold at canonical.com
Wed Sep 20 20:36:41 UTC 2017

On Wed, Sep 20, 2017 at 01:15:20PM +0200, intrigeri wrote:
> At this point I wonder if it's worth our time to write and maintain
> a profile for /usr/bin/bwrap. My current take of it is: probably not.

I think it is; first, this does raise the question of why is whatever it
is that it executes not listed in this profile? Getting to the bottom of
that is already a good start. :)

Once that's sorted out, I think it'll be a good to have a list of things
that might possibly have access to all the above privileges in the event
bugs are found in bwrap, and confine those things according to the
privileges they may actually need.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20170920/cd2097a4/attachment-0001.sig>

More information about the AppArmor mailing list