Vincas Dargis: > And no, it does not actually opens files from `/usr/share/skypeforlinux/*`, > etc.
> So, basically, what's happening here? Is it because `skypeforlinux` executed > child > process in some "special" way, or it's just "natural" way of how Linux > applications > work..? file_inherit is about open file descriptors: they are inherited by child processes by default. AppArmor now mediates this. > There was recent bug report for Thunderbird that child process file_inherit's > some .js file [0]. Why one Earth it should be that special one file only, > Thnderbird > probably had opend much more files at the time of child is being run? No idea. > How this generally should be handled in child profiles, simply manually add > denies..? Yes. > Is it possible to deny all of these file_inherit somehow? Probably, with a wide deny rule such as (/**). Cheers, -- intrigeri -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
