Hi, Simon Deziel: > On Tue, 21 Nov 2017 14:58:38 +0000 George Dunlap <dunl...@umich.edu> wrote: >> Not sure how the AppArmor stuff works -- would it be possible to >> restrict the profile directory *after* reading profile.ini, so you >> know where the actual profile lives?
> That would certainly be a good idea but would require upstream efforts > to support Apparmor properly. Right. libvirt-daemon does exactly that, but note that loading AppArmor policy into the kernel requires root. > I'm afraid that for such cases, the easiest solution would be to disable > the Apparmor profile: … or use bind-mounts instead of symlinks, so that your profiles are exposed in ~/.thunderbird to AppArmor. Or add local configuration such as: echo " owner /path/to/your/profile/ rw," \ | sudo tee -a /etc/apparmor.d/local/usr.bin.thunderbird echo " owner /path/to/your/profile/** rwk," \ | sudo tee -a /etc/apparmor.d/local/usr.bin.thunderbird sudo apparmor_parser -r /etc/apparmor.d/usr.bin.thunderbird Once again, we should document this limitation (+ workaround) in README.Debian. And then we need to decide whether it's good enough or we should ship this profile disabled by default. Cheers, -- intrigeri