On 2017.10.26 20:10, Simon Déziel wrote:
> They only way to have evince locked in its own profile was to explicitly add
> "/usr/bin/evince Px," to the TB profile. Add that same line to abstractions
> /ubuntu-helpers didn't work.
abstractions/ubuntu-helpers is basically (ignoring comments)
profile sanitized_helper {
[...]
}
My guess is that you added the evince Px rule inside sanitized_helper, but
you'd need to add it outside of it (well, unless you want to apply it to the
case "a program running under sanitized_helper starts evince" ;-)
That said - IMHO abstractions/ubuntu-helpers should stay as is, and such Px
rules should go into a separate abstraction which users of sanitized_helper
could or could not include.
--
https://code.launchpad.net/~talkless/apparmor-profiles/+git/apparmor-profiles/+merge/332870
Your team AppArmor Developers is requested to review the proposed merge of
~talkless/apparmor-profiles:fix-thunderbird-attachements into
apparmor-profiles:master.
--
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/apparmor
