Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?

2017-09-21 Thread Simon McVittie
On Wed, 20 Sep 2017 at 13:36:41 -0700, Seth Arnold wrote: > On Wed, Sep 20, 2017 at 01:15:20PM +0200, intrigeri wrote: > > At this point I wonder if it's worth our time to write and maintain > > a profile for /usr/bin/bwrap. My current take of it is: probably not. > > I think it is; first, this

Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?

2017-09-20 Thread Seth Arnold
On Wed, Sep 20, 2017 at 01:15:20PM +0200, intrigeri wrote: > At this point I wonder if it's worth our time to write and maintain > a profile for /usr/bin/bwrap. My current take of it is: probably not. I think it is; first, this does raise the question of why is whatever it is that it executes not

Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?

2017-09-20 Thread John Johansen
On 09/20/2017 04:15 AM, intrigeri wrote: > Hi, > > on current Debian sid, Totem tries to use bubblewrap (/usr/bin/bwrap). > I've not investigated why yet but I suspect it's part of the GNOME > project's much welcome effort to sandbox dangerous things > like thumbnailers. > > bubblewrap sets up

Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?

2017-09-20 Thread Simon McVittie
On Wed, 20 Sep 2017 at 16:53:19 +0200, intrigeri wrote: > Simon McVittie: > > I'm surprised this works. bwrap is an "adverb" like chroot/sudo/env, so > > I would expect it to want to execute the wrapped thumbnailer? > > Same here! It would be awesome if someone investigated why/how exactly >

Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?

2017-09-20 Thread intrigeri
Simon McVittie: > I'm surprised this works. bwrap is an "adverb" like chroot/sudo/env, so > I would expect it to want to execute the wrapped thumbnailer? Same here! It would be awesome if someone investigated why/how exactly Totem now uses bwrap. Cheers, -- intrigeri -- AppArmor mailing list

Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?

2017-09-20 Thread Simon McVittie
On Wed, 20 Sep 2017 at 13:15:20 +0200, intrigeri wrote: > bubblewrap sets up Linux namespaces and other stuff that makes it > essentially need full admin access, which is kinda by design for this > kind of sandboxing wrappers (not sure if userns would change anything > to that, anyway that's

[apparmor] What to do about bubblewrap started from apps confined with AppArmor?

2017-09-20 Thread intrigeri
Hi, on current Debian sid, Totem tries to use bubblewrap (/usr/bin/bwrap). I've not investigated why yet but I suspect it's part of the GNOME project's much welcome effort to sandbox dangerous things like thumbnailers. bubblewrap sets up Linux namespaces and other stuff that makes it essentially