Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?

On Wed, Sep 20, 2017 at 01:15:20PM +0200, intrigeri wrote: > At this point I wonder if it's worth our time to write and maintain > a profile for /usr/bin/bwrap. My current take of it is: probably not. I think it is; first, this does raise the question of why is whatever it is that it executes not

Re: [apparmor] [Merge] lp:~intrigeri/apparmor/flatpak-exports into lp:apparmor

Minor nitpicking: The .../share/icons/ rules are the only one where you use separate rules instead of alternations. If there isn't a special reason for this, I'd prefer to use the same style everywhere ;-) -- https://code.launchpad.net/~intrigeri/apparmor/flatpak-exports/+merge/331056 Your team

Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?

On 09/20/2017 04:15 AM, intrigeri wrote: > Hi, > > on current Debian sid, Totem tries to use bubblewrap (/usr/bin/bwrap). > I've not investigated why yet but I suspect it's part of the GNOME > project's much welcome effort to sandbox dangerous things > like thumbnailers. > > bubblewrap sets up

Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?

On Wed, 20 Sep 2017 at 16:53:19 +0200, intrigeri wrote: > Simon McVittie: > > I'm surprised this works. bwrap is an "adverb" like chroot/sudo/env, so > > I would expect it to want to execute the wrapped thumbnailer? > > Same here! It would be awesome if someone investigated why/how exactly >

Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?

Simon McVittie: > I'm surprised this works. bwrap is an "adverb" like chroot/sudo/env, so > I would expect it to want to execute the wrapped thumbnailer? Same here! It would be awesome if someone investigated why/how exactly Totem now uses bwrap. Cheers, -- intrigeri -- AppArmor mailing list

[apparmor] [Merge] lp:~intrigeri/apparmor/apache2-attach_disconnected into lp:apparmor

intrigeri has proposed merging lp:~intrigeri/apparmor/apache2-attach_disconnected into lp:apparmor. Requested reviews: AppArmor Developers (apparmor-dev) For more details, see: https://code.launchpad.net/~intrigeri/apparmor/apache2-attach_disconnected/+merge/331065 -- Your team AppArmor

Re: [apparmor] Fixed profiles for Debian 9

Hi, thanks a lot for the clarifications. I'm looking forward to your merge request on Launchpad :) Cheers, -- intrigeri -- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor

[apparmor] [Merge] ~intrigeri/apparmor-profiles/+git/apparmor-profiles:gnome-3.26 into apparmor-profiles:master

intrigeri has proposed merging ~intrigeri/apparmor-profiles/+git/apparmor-profiles:gnome-3.26 into apparmor-profiles:master. Requested reviews: AppArmor Developers (apparmor-dev) For more details, see:

[apparmor] [Merge] lp:~intrigeri/apparmor/flatpak-exports into lp:apparmor

intrigeri has proposed merging lp:~intrigeri/apparmor/flatpak-exports into lp:apparmor. Requested reviews: AppArmor Developers (apparmor-dev) For more details, see: https://code.launchpad.net/~intrigeri/apparmor/flatpak-exports/+merge/331056 -- Your team AppArmor Developers is requested to

Re: [apparmor] What to do about bubblewrap started from apps confined with AppArmor?

On Wed, 20 Sep 2017 at 13:15:20 +0200, intrigeri wrote: > bubblewrap sets up Linux namespaces and other stuff that makes it > essentially need full admin access, which is kinda by design for this > kind of sandboxing wrappers (not sure if userns would change anything > to that, anyway that's

[apparmor] What to do about bubblewrap started from apps confined with AppArmor?

Hi, on current Debian sid, Totem tries to use bubblewrap (/usr/bin/bwrap). I've not investigated why yet but I suspect it's part of the GNOME project's much welcome effort to sandbox dangerous things like thumbnailers. bubblewrap sets up Linux namespaces and other stuff that makes it essentially