On 2017-11-28 12:19, intrigeri wrote:
→ In this case, I would argue that we're talking about a corner
case, that only rather advanced users will hit, and I find it sad
that everyone else can't benefit from AppArmor security benefits
due to that, so I'm leaning towards:
1. keep the AppArmor profile enforced by default, so the vast
majority of users benefit from it;
2. ensure the AppArmor profile supports customization and
affected users can learn how to tweak it; in this case,
I think adding in README.Debian "add your custom
env:UserInstallation to @{libo_user_dirs}" would be sufficient.
What do you think? If you agree with my reasoning, then I could
provide a patch to implement the proposed change in README.Debian.
It's the same story as with Thunderbird's #882218, we really should think about adding customization points to these GUI
applications.
I've read about AppArmor variables, and man page states that variables has to
be modified before profile:
> Variables may have multiple values assigned, but any variable assignments
must be made before the start of the profile.
So that means that LO, and Thunderbird must have some extra include, as <local/foo> include is too late (within profile
itself)?
Something like:
```
@{libo_user_dirs} = @{HOME} /mnt /media
#include <tunables/usr.lib.libreofficeprogram.soffice.bin.d>
```
Right?
How are you planning to patch it?
