[apparmor] Understanding child profiles and file_inherit

[intrigeri]

Vincas Dargis:
> And no, it does not actually opens files from `/usr/share/skypeforlinux/*`, etc.

> So, basically, what's happening here? Is it because `skypeforlinux` executed child
> process in some "special" way, or it's just "natural" way of how Linux applications
> work..?

file_inherit is about open file descriptors: they are inherited by child
processes by default. AppArmor now mediates this.

> There was recent bug report for Thunderbird that child process file_inherit's
> some .js file [0]. Why one Earth it should be that special one file only, Thnderbird
> probably had opend much more files at the time of child is being run?

No idea.

> How this generally should be handled in child profiles, simply manually add denies..?

Yes.

> Is it possible to deny all of these file_inherit somehow?

Probably, with a wide deny rule such as (/**).

Cheers,
-- 
intrigeri