Hi, Simon McVittie (2026-02-22): > For the other affected apps such as libreoffice and papers, I think the > solution will have to involve either extending their AppArmor profiles > so that the sandboxed image loaders can work (if the AppArmor profile is > providing value), or removing/disabling the AppArmor profile (if it > isn't practically helpful to mitigate/prevent attacks and is only > causing us problems).
IIRC I've seen a comment somewhere in a discussion on an issue or PR in the https://github.com/roddhjav/apparmor.d/ project that said it was possible to force Glycin to turn off its sandboxing, by denying 1 of the access it was using on startup to check if sandboxing was possible. This is clearly a poor long-term choice, but if a 1-liner quick fix implements this (bringing us back to where we were 2 weeks ago in terms of security and bugs), it might buy us some time while we figure out how we want to approach the whole thing. I'll try to find this workaround tomorrow. Cheers, -- intrigeri
