Hello Daniel, On Wed, Nov 29, 2017 at 05:02:25PM +0000, daniel curtis wrote: > I'm asking, because Evince is a document viewer (PostScript, PDF). > Of course it allows e.g. printing PS files, EPS etc., text searching, > hypertext > navigation and bookmarks with index when it is available in the document > and so on. So, are these rules above necessary?
Believe me, we get _so many bug reports_ about various pieces of evince that don't work due to AppArmor profiles that you're going to have a very hard time selling us on removing rules from the default profile. Distro-provided profiles will always be too permissive for some users. The long-term vision for these users involves stacking profiles together to further restrict operations. You can do this today, sortof, but it takes some work. > I would like to remove all unnecessary rules. Just like with Firefox > profile where, by default, files can be downloaded to every folder in > @{HOME}. I'd to make some changes: add about 6 rules to the Firefox profile > and edit "/abstractions/ubuntu browsers.d/user-files" > (that's a place with rules that allow write access everywhere in $HOME > etc.) > > After mentioned changes, users can download only to the "Download" folder, > not everywhere. Oh, and I added an abstractions "private-files" rule. (Plus > two more needed rules, because of a "DENIED" entry.) I think it's a safer > solution, but maybe I'm wrong. Strictly speaking, even if you remove the ~/** rw, kinds of rules from firefox's profile, you'll still be able to download to any writable location in the profile. Doing any different would require modifications to Firefox. Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor