Hmm... indeed! I'll re-investigate why we need `m` permission by the default. I assume that if there's something that actually need `m` permission, a new key in the easyprof manifest would be needed, right?
As for `l` rule for writes, do you think it's safe to add? Given that "the new link MUST have a subset of permissions as the original file" [1], this shouldn't be able to be used to open up more permission. [1]: https://manpages.debian.org/bookworm/apparmor/apparmor.d.5.en.html#l~2 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2058690 Title: aa-easyprof: allow mmap and link from easyprof generated profiles Status in apparmor package in Ubuntu: New Bug description: Currently, an easyprof-generated profile will list the reads with `rk` and the writes as `rwk`. With recent Qt, this breaks because newer Qt versions use hard-linking of temporary files to perform atomic writes. Also, `rk` doesn't allow mmap()'ing shared library for execution. We at UBports are carrying a patch in Ubuntu Touch which changes the read rules to `mrk` and write rules to `mrwkl`, and are upstreaming this patch at [1]. When the MR is merged, I would like this patch to be included in Ubuntu 24.04, so that Ubuntu Touch doesn't have to package AppArmor separately from Ubuntu. If we agree that we want this patch, I can provide an MR on Salsa. [1] https://gitlab.com/apparmor/apparmor/-/merge_requests/1189 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058690/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
