Hi, Simon McVittie (2026-02-20): > Any package that has a non-trivial AppArmor profile and uses gdk-pixbuf, > such as papers, will need something similar. Perhaps the AppArmor team > could help to generalize this into something that isn't a sandbox > escape, and doesn't require something this extensive in every affected > package?
If we determine it's worth the effort (#1128767), yes, I'm happy to help (which could include trying to pull more skilled people and coordinating the work). A good next step could be to check if we have affected packages whose policy is useful enough to be worth the effort. I'm adding this to my list. Either I find time for it tomorrow or it'll have to wait until mid-March, so help is welcome. > (I do find myself wondering whether the AppArmor profiles for evince and > papers actually protect us against anything: they allow enough things > that I imagine there's probably at least one sandbox escape available > already. Identifying and isolating the particularly high-risk parts, > like glycin does, or isolating entire apps, like Flatpak does, are > probably better ways in the long term.) +1 Cheers, -- intrigeri
