[apparmor] What's about all these new "uncofined" profiles with just "userns"?
Vincas Dargis
vindrg at gmail.com
Tue Mar 11 11:34:10 UTC 2025
Hi,
On 2025-03-02 01:48, John Johansen wrote:
> On 3/1/25 05:02, Vincas Dargis wrote:
>> 2. Apparently, my long-practiced "tradition" to invoke `aa-enforce /etc/apparmor.d/*` after every apparmor[-profiles]
>> package upgrade (due to usr.bin.ping-and-friends becoming "complain" again), is now seemingly ill-advised? Enforcing
>> all these new, almost-empty "uncofined" profiles makes sort of havoc...
>>
> ah yeah aa-enforce of the unconfined profiles will cause some issues. Enough that its a bug worth fixing. We should add
> some kind of flag that either allows skipping those or the inverse is required to enforce on them. Opinions/feedback on
> which is welcome
Yes, some kind of "unconfinable" or "not_confinable" flag could help. One could use flags=(complain,unconfinable) for
any WIP profile.
>> b). How should user enable proper custom firefox profile correctly?
>>
>> aa-disable /etc/apparmor.d/firefox, and enforce /etc/apparmor.d/usr.bin.firefox?
>>
> aa-disable of the profile file you don't want should work, and is the current recommended method
OK got it.
> sadly the overlay feature didn't land in 4.1, it is coming and it will allow you to setup local overrides without having
> to overwrite profiles dropped in by packaging.
Overlay looks cool.
Thanks for explanations!
More information about the AppArmor
mailing list