On 07/01/2017 12:17 AM, Vincas Dargis wrote: > 2017.07.01 00:56, John Johansen wrote: >> For a tighter policy where enumerating other application etc is not >> allowed then we would want to block access. I don't think we can do >> that well with applications like firefox until support for delegation >> lands. > > Interesting, what is this mentioned "delegation" ? >
Delegation will allow an application to delegate some of its authority (permissions) to other confined task. So for example an external file picker could be used to allow the user to choose files, and then delegate that access to firefox, so that the firefox profile does not need to be given broad access to the users directory. For various reasons stacking (think of it as the intersection of profiles and hence a way to reduce permissions) has had to land first. That has largely happened (4.13 will have most of what is needed) and hopefully the remaining issues will be landed by 4.14. -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
