Hi,
Simon Deziel:
> On Tue, 21 Nov 2017 14:58:38 +0000 George Dunlap <dunl...@umich.edu> wrote:
>> Not sure how the AppArmor stuff works -- would it be possible to
>> restrict the profile directory *after* reading profile.ini, so you
>> know where the actual profile lives?
> That would certainly be a good idea but would require upstream efforts
> to support Apparmor properly.
Right. libvirt-daemon does exactly that, but note that loading
AppArmor policy into the kernel requires root.
> I'm afraid that for such cases, the easiest solution would be to disable
> the Apparmor profile:
… or use bind-mounts instead of symlinks, so that your profiles
are exposed in ~/.thunderbird to AppArmor.
Or add local configuration such as:
echo " owner /path/to/your/profile/ rw," \
| sudo tee -a /etc/apparmor.d/local/usr.bin.thunderbird
echo " owner /path/to/your/profile/** rwk," \
| sudo tee -a /etc/apparmor.d/local/usr.bin.thunderbird
sudo apparmor_parser -r /etc/apparmor.d/usr.bin.thunderbird
Once again, we should document this limitation (+ workaround) in
README.Debian.
And then we need to decide whether it's good enough or we should ship
this profile disabled by default.
Cheers,
--
intrigeri
