Control: tags -1 moreinfo Hi,
On Wed, Mar 15, 2017 at 5:07 AM, Ulrike Uhlig <ulr...@debian.org> wrote: > Package: pulseaudio > Severity: normal > > Hi, > > as you might know, AppArmor confines programs according to a set of > rules that specify what files a given program can access. This approach > helps protect the system against both known and unknown vulnerabilities. > In several distributions such as Ubuntu or Tails, AppArmor is enabled by > default. > > There is an AppArmor profile for Pulseaudio available upstream: > https://git.launchpad.net/apparmor-profiles/tree/ubuntu/17.04/usr.bin.pulseaudio > I've asked the original authors if this profile is ready to be included > and they confirmed. In any case, this profile is only active if people > have installed AppArmor in first case, so it should never break the > package for users without AppArmor. > > The profile can be included in the Pulseaudio packaging quite easily. > All the necessary steps are documented here: > https://wiki.debian.org/AppArmor/Contribute/FirstTimeProfileImport > > Please also see examples in the packages torbrowser-launcher or in > Icedove > (https://anonscm.debian.org/cgit/pkg-mozilla/icedove.git/tree/debian). I have some doubts: 1. What is the benefit of shipping the profile info in pulseaudio versus shipping it in the apparmor-profiles package? 2. Wouldn't that benefit be best achieved if the profile was shipped by (pulse) upstream? I'm wary of being in charge of stuff I don't use, and I would think upstream would be as well. Would apparmor maintainers be willing to step in to help when problems appear with the profile? > > I'll try to prepare a patch to make it easier for you to integrate it. That would be great. -- Saludos, Felipe Sateler