Hi,
On 2025-03-02 01:48, John Johansen wrote:
> On 3/1/25 05:02, Vincas Dargis wrote:
>> 2. Apparently, my long-practiced "tradition" to invoke `aa-enforce
/etc/apparmor.d/*` after every apparmor[-profiles]
>> package upgrade (due to usr.bin.ping-and-friends becoming "complain" again),
is now seemingly ill-advised? Enforcing
>> all these new, almost-empty "uncofined" profiles makes sort of havoc...
>>
> ah yeah aa-enforce of the unconfined profiles will cause some issues. Enough
that its a bug worth fixing. We should add
> some kind of flag that either allows skipping those or the inverse is
required to enforce on them. Opinions/feedback on
> which is welcome
Yes, some kind of "unconfinable" or "not_confinable" flag could help. One could use flags=(complain,unconfinable) for
any WIP profile.
>> b). How should user enable proper custom firefox profile correctly?
>>
>> aa-disable /etc/apparmor.d/firefox, and enforce
/etc/apparmor.d/usr.bin.firefox?
>>
> aa-disable of the profile file you don't want should work, and is the current
recommended method
OK got it.
> sadly the overlay feature didn't land in 4.1, it is coming and it will allow
you to setup local overrides without having
> to overwrite profiles dropped in by packaging.
Overlay looks cool.
Thanks for explanations!
