Review: Approve
Can PUx be used for bwrap instead, to scrub the environment before invoking
bubblewrap? Unconfined execution without environment scrubbing (of e.g.
LD_LIBRARY_PATH) is really problematic.
Otherwise, looks good to me. I'm merging with the following changes
- convert bwrap permission to scrub environment variables (PUx)
- add "owner @{HOME}/.cache/totem/ rw," to the totem abstraction, to cover the
additional rejection Vincas reported.
If it turns out bwrap really does need unfiltered environment variables, then
please report back and we can adjust.
Thanks!
--
https://code.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/+merge/332769
Your team AppArmor Developers is subscribed to branch apparmor-profiles:master.
--
AppArmor mailing list
[email protected]
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
