On 06/30/2017 11:20 AM, intrigeri wrote: > Control: tag -1 + upstream > > Hi Diane, > > Diane Trout: >> I was updating my browser profiles and saw firefox was trying to load some >> flatpak mime exports. > >> Should the apparmor profiles allow those? > > Good question, thanks for raising this topic. I'm redirecting this > discussion to the upstream AppArmor mailing list, as I think it is not > Debian-specific. > > Logs are at https://bugs.debian.org/865206. >
So this very much depends on the policy style you want. The firefox profile in its current form is very permissive. And I don't see a problem adding them to it and an abstraction does seem the right place to do it so For a tighter policy where enumerating other application etc is not allowed then we would want to block access. I don't think we can do that well with applications like firefox until support for delegation lands. At which point we are going to have to either reworking the reference policy or splitting it into different types dependent on your wants/needs. -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
