Merge lp://qastaging/~intrigeri/apparmor/flatpak-exports into lp://qastaging/apparmor/2.12
Status: | Work in progress |
---|---|
Proposed branch: | lp://qastaging/~intrigeri/apparmor/flatpak-exports |
Merge into: | lp://qastaging/apparmor/2.12 |
Diff against target: |
53 lines (+16/-14) 1 file modified
profiles/apparmor.d/abstractions/freedesktop.org (+16/-14) |
To merge this branch: | bzr merge lp://qastaging/~intrigeri/apparmor/flatpak-exports |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
intrigeri | Disapprove | ||
AppArmor Developers | Pending | ||
Review via email:
|
Unmerged revisions
- 3711. By intrigeri
-
abstractions/
freedesktop. org: fixup. - 3710. By intrigeri
-
abstractions/
freedesktop. org: treat Flatpak exports the same way as bits shipped by the distro (Closes: Debian#865206). As Simon McVittie <email address hidden> wrote on
https://bugs.debian. org/865206 and on the AppArmor mailing list: "Anything in /var/lib/
flatpak/ exports/ share or
~/.local/share/flatpak/ exports/ share is essentially equivalent to
the corresponding path in /usr/{local/,}share, and is something
that has deliberately been "exported" to the rest of the system by a
Flatpak-confined app.The only reason to prevent reading those directories would be if you do
not want the AppArmor-confined app to be able to enumerate the other
software you have installed on your system, as an anti-fingerprinting
mechanism."
Minor nitpicking: The .../share/icons/ rules are the only one where you use separate rules instead of alternations. If there isn't a special reason for this, I'd prefer to use the same style everywhere ;-)