Hello Daniel, On Wed, Nov 29, 2017 at 05:02:25PM +0000, daniel curtis wrote: > I'm asking, because Evince is a document viewer (PostScript, PDF). > Of course it allows e.g. printing PS files, EPS etc., text searching, > hypertext > navigation and bookmarks with index when it is available in the document > and so on. So, are these rules above necessary?
Believe me, we get _so many bug reports_ about various pieces of evince
that don't work due to AppArmor profiles that you're going to have a very
hard time selling us on removing rules from the default profile.
Distro-provided profiles will always be too permissive for some users. The
long-term vision for these users involves stacking profiles together
to further restrict operations. You can do this today, sortof, but it
takes some work.
> I would like to remove all unnecessary rules. Just like with Firefox
> profile where, by default, files can be downloaded to every folder in
> @{HOME}. I'd to make some changes: add about 6 rules to the Firefox profile
> and edit "/abstractions/ubuntu browsers.d/user-files"
> (that's a place with rules that allow write access everywhere in $HOME
> etc.)
>
> After mentioned changes, users can download only to the "Download" folder,
> not everywhere. Oh, and I added an abstractions "private-files" rule. (Plus
> two more needed rules, because of a "DENIED" entry.) I think it's a safer
> solution, but maybe I'm wrong.
Strictly speaking, even if you remove the ~/** rw, kinds of rules from
firefox's profile, you'll still be able to download to any writable
location in the profile. Doing any different would require modifications
to Firefox.
Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
