Vincas Dargis <vin...@gmail.com> 于2019年1月4日周五 上午2:36写道: > > Dear Maintainer, > > I'm happy to see that we now have qTox in Debian! Thanks to Maintainer! > > It would be even cooler to have it confined with AppArmor. qTox > maintains connections to various untrusted peers over the world, and so > it is important do reduce attack vector in case of RCE happens, brought > by some untrusted packet, etc. > > We have some GUI packages on Debian that ship with AppArmor profile > (like Thunderbird, or LibreOffice, Totem, etc), and I agree that > experience with them might not be the best yet, as AppArmor really lacks > some features to make GUI applications "better confinable" without > making user struggle with denies... So due to that I will *suggest to > ship this profile disabled by default*, so power users should enable it > consciously with knowing the risks of having some inconveniences. > > I am interested to prepare AppArmor porfile for qTox by myself, as I use > this application daily. The idea is to maintain profile, same as with > Thunderbird, in external apparmor-profiles [0] repository, and sync it > to Debian package once it is accepted in apparmor-profiles, after it's > reviewed by AppArmor maintainers and/or contributors. > > [0] https://gitlab.com/apparmor/apparmor-profiles >
Hi, I'd love to see any improvement in program quality. As you're willing to create the AppArmor profile, I'd like to suggest you to directly submit your changes to upstream; just open a pr in their github repo https://github.com/qTox/qTox . Directly shipping AppArmor profile within application package is possible; see the example from another package https://salsa.debian.org/yangfl-guest/i2pd/blob/master/debian/i2pd.install . Once the upstream provides a (usable) AppArmor profile, I would be very happy to include that in the next release.
