[apparmor] RFC: handling xdg-open and similar helpers
Simon McVittie
smcv at collabora.com
Fri Jan 26 12:47:34 UTC 2018
On Fri, 26 Jan 2018 at 09:06:15 +0100, intrigeri wrote:
> regardless of the exact sandboxing technology
> that's used to confine the app, in any case we need to teach the apps
> (or some underlying toolkit) to send IPC requests instead of executing
> programs themselves.
This sounds suspiciously like portals: it's usually GTK or GLib, not the
application, that detects that it's confined by Flatpak (or in principle
something else) and talks to a portal instead of doing more of the work
itself.
AppArmor is probably too low-level to benefit from that sort of thing,
but a higher-level technology built on it (like Snap) is well-placed to
do the same tricks that Flatpak does to interpose portals between
security contexts.
smcv
More information about the AppArmor
mailing list