Review: Approve Wrt. LibreOffice: interestingly, both Debian and Ubuntu ship a usr.lib.libreofficeprogram.soffice.bin profile (enforced by default) but it applies to a path that is not the one we use (/usr/lib/libreofficeprogram/soffice.bin). That's out of scope here so let's stick with what Vincas proposes.
Wrt. Evince and Totem, IMO we need these rules somewhere on distros that ship the Evince and Totem profiles: /usr/bin/evince Px, /usr/bin/totem Px, I see two ways to do it: 1. Adjust the existing Evince rule in abstractions/ubuntu-browsers.d/productivity + the existing Totem rule in abstractions/ubuntu-media-players, and then we include these abstractions in the Thunderbird profile. 2. Add these rules to the Thunderbird profile. At first glance it feels like (1) is the cleanest way forward *but* it has a big drawback: it won't work as intended on distros that don't ship Evince/Totem profiles, which feels super wrong in abstractions that are part of the upstream AppArmor tarball. I think that's yet another reason to sit down, take a deep breath, and rethink how & where we're maintaining+shipping policy, but IMO we shouldn't block on this here. So I think (2) is the way to go. The main drawback of (2) is that any distro that starts shipping the Thunderbird profile will need to either also ship the Evince and Totem profiles, or drop these two lines In Debian that's a mere matter of adding a dependency on apparmor-profiles-extra. Are there other distros around that already ship the Thunderbird profile *and* would have a problem with this? I see that Ubuntu does not ship the Thunderbird profile, but what about openSUSE or Ubuntu future plans? This being said, this MR already incrementally improves things, so I'll merge it as-is and will move the Evince/Totem discussion to a new, dedicated issue. -- https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/332870 Your team AppArmor Developers is requested to review the proposed merge of ~talkless/apparmor-profiles:fix-thunderbird-attachements into apparmor-profiles:master. -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
