On Wed, Sep 20, 2017 at 01:15:20PM +0200, intrigeri wrote: > At this point I wonder if it's worth our time to write and maintain > a profile for /usr/bin/bwrap. My current take of it is: probably not.
I think it is; first, this does raise the question of why is whatever it is that it executes not listed in this profile? Getting to the bottom of that is already a good start. :) Once that's sorted out, I think it'll be a good to have a list of things that might possibly have access to all the above privileges in the event bugs are found in bwrap, and confine those things according to the privileges they may actually need. Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
