On 2019-07-27 04:55, Christoph Biedl wrote:
Eventually fakeroot-tcp, wishes to open sockets, something I certainly would not want to whitelist.
In AppArmor case, "non-standard" use cases can be dealt with by editing `/etc/apparmor.d/local/usr.bin.foo`, adding any necessary rules (like allowing to mmap() some specific LD_PRELOAD library if needed for that use case), or by disabling profile completely as worst case workaround.
TTBOMK apparmor would not provide a sane solution for that problem. There still might be another use case: The file program should[citation needed] not write to any file. Reading however must be possible for every item in the entire file system.
That's how I imagine AA profile for `file` - reads absolutely everything, and not expecting to write, unless to some temp file or similar. But as you said, citation needed.
