Merge lp:~serge-hallyn/apparmor-profiles/apparmor-profiles into lp:apparmor-profiles
Proposed by
Serge Hallyn
Status: | Merged |
---|---|
Approved by: | Steve Beattie |
Approved revision: | 161 |
Merge reported by: | Steve Beattie |
Merged at revision: | not available |
Proposed branch: | lp:~serge-hallyn/apparmor-profiles/apparmor-profiles |
Merge into: | lp:apparmor-profiles |
Diff against target: |
27 lines (+23/-0) 1 file modified
ubuntu/16.04/usr.bin.ttytter (+23/-0) |
To merge this branch: | bzr merge lp:~serge-hallyn/apparmor-profiles/apparmor-profiles |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Steve Beattie | Approve | ||
Review via email: mp+291919@code.launchpad.net |
Description of the change
Add a ttytter profile.
To post a comment you must log in.
While this is certainly better than no profile, there's a lot of fairly
wide permissions added:
+ /usr/lib/** r,
+ /lib/** r,
+ /usr/share/** r,
<abstractions/base> ought to include a huge number of libraries already --
what else was needed in /usr/lib, /lib, /usr/share?
+ /etc/* r,
+ unix (create, connect, receive),
+ /run/** rw,
These just seem too wide by a lot -- what's it doing with unix sockets?
Can that be reduced via peer=(label=..) rules? Which files in /etc/ did it
need? Can /run/ be constrained by uid or user or at least the 'owner'
qualifier?
+ /dev/null rw,
+ network inet,
Heh I'm surprised these were needed explicitly.
Any chance this could be closed a bit further?
Thanks