Not strictly related to the original issue, but I just went through the included abstractions, and someone more familiar with akonadi will easily spot opportunities for additional restrictions. For example I would be surprised if mysqld needs netlink or the net_bind_service capability, which leak in (indirectly) through the netservice abstraction. I would actually doubt that this profile should permit any capability at all, citing the Ubuntu wiki: "... it is generally not a bug in the profile if a non-default configuration is being used by the application." And adjusting user and group permissions such that mysqld as a different user can access (just the) emails is certainly a non- default configuration, supporting which IMHO reduces the security for the broad majority which just runs something default.
Just to share some additional thoughts. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1759084 Title: mysqld-akonadi profile does not support seccomp To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1759084/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
