On 07/01/2017 04:41 PM, John Johansen wrote: > On 07/01/2017 12:17 AM, Vincas Dargis wrote: >> 2017.07.01 00:56, John Johansen wrote: >>> For a tighter policy where enumerating other application etc is not >>> allowed then we would want to block access. I don't think we can do >>> that well with applications like firefox until support for delegation >>> lands. >> >> Interesting, what is this mentioned "delegation" ? >> > > Delegation will allow an application to delegate some of its authority > (permissions) to other confined task. > > So for example an external file picker could be used to allow the user to > choose files, and then delegate that access to firefox, so that the firefox > profile does not need to be given broad access to the users directory. > > For various reasons stacking (think of it as the intersection of profiles > and hence a way to reduce permissions) has had to land first. That has largely > happened (4.13 will have most of what is needed) and hopefully the remaining > issues will be landed by 4.14. > So just to flesh the answer out a little bit more, the documentation is still very much a wip
stacking is very much intertwined with how apparmor is using policy namespaces, so you will notice a fair bit of cross referencing between the documentation of each http://wiki.apparmor.net/index.php/AppArmorStacking The delegation documentation is a lot rougher but there is start at http://wiki.apparmor.net/index.php/AppArmorDelegation -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
