> A) drop the child profiles (groff, filter), merge their rules into the
>    main /usr/bin/man profile, and use ix instead of Cx; these rules
>    are not particularly scary so this doesn't seem crazy an option

I had a closer look and what's scary is not the rules that can be
found in the child profiles, it's the fact that if we drop the child
profiles, all processes run by man will have full access to the

  # The purpose of this profile isn't to confine man itself (that might be
  # nice in the future, but is tricky since it's quite configurable), but to
  # confine the processes it calls that parse untrusted data.
  /** mrixwlk,

… i.e. the /usr/bin/man profile would be mostly useless. So let's
forget about option A and instead choose between:

> B) remove the AppArmor profile entirely and rely on seccomp instead
> C) don't enable "no new privs" and rely on AppArmor instead

I think B is fine given all the non-AppArmor hardening efforts Colin
has been putting into man-db recently.


Reply via email to