While this is certainly better than no profile, there's a lot of fairly wide permissions added:
+ /usr/lib/** r, + /lib/** r, + /usr/share/** r, <abstractions/base> ought to include a huge number of libraries already -- what else was needed in /usr/lib, /lib, /usr/share? + /etc/* r, + unix (create, connect, receive), + /run/** rw, These just seem too wide by a lot -- what's it doing with unix sockets? Can that be reduced via peer=(label=..) rules? Which files in /etc/ did it need? Can /run/ be constrained by uid or user or at least the 'owner' qualifier? + /dev/null rw, + network inet, Heh I'm surprised these were needed explicitly. Any chance this could be closed a bit further? Thanks -- https://code.launchpad.net/~serge-hallyn/apparmor-profiles/apparmor-profiles/+merge/291919 Your team AppArmor Developers is requested to review the proposed merge of lp:~serge-hallyn/apparmor-profiles/apparmor-profiles into lp:apparmor-profiles. -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
