[Ubuntu-phone] Can we make renames work?
Jamie Strandboge
jamie at canonical.com
Thu May 21 13:18:27 UTC 2015
On 05/21/2015 05:16 AM, Martin Pitt wrote:
> Oliver Grawert [2015-05-20 17:22 +0200]:
>> couldn't we do something with ACLs here ... leave the dirs writeable,
>> apply a read only ACL setup to all files with a small set of
>> exceptions ?
>
> Yes, I like that idea. AppArmor is a lot simpler to grok and maintain
> (globs!) than bind mount farms ;-) With a "pristine" /usr/share/etc/
> we can even autogenerate this.
>
Note that using AppArmor for this is possible only when nothing runs truly
'unconfined' (since unconfined has no restrictions). Full system confinement is
a complex topic with a significant amount of work to do correctly; let's just
say for this discussion that the current approach is easier (but we can of
course discuss this further in some appropriate forum if we want to explore this
option longer term).
--
Jamie Strandboge http://www.ubuntu.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/snappy-devel/attachments/20150521/5bd98c0d/attachment.pgp>
More information about the snappy-devel
mailing list