On 03.12.2017 02:57, Ben Caradoc-Davies wrote: > On 02/12/17 23:43, Alexander V. Makartsev wrote: >> Now, when I hit this buggy profile problem, I'm thinking about how to >> deal with these problems in the future for other applications. >> After consulting AppArmor manual I have not found any reference about >> how to override AppArmor profile. >> All profiles are placed in "/etc/apparmor.d/" and that is it, so the >> only options are either disable misbehaving AppArmor profile or modify >> it which is bad option because this is package shipped profile. >> For an example, systemd unit-files could be easily overridden without >> resorting to modification of package shipped unit-files. >> I this possible for AppArmor? > > Yes, there is aa-complain in the apparmor-utils packages, but this was > itself buggy when I used it for thunderbird: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882047 > > Kind regards, > If I understood this correctly, aa-complain will only switch profile to "complain mode"(log, but don't block). This is effectively the same as disabling the profile, which is not a good solution. "aa-complain" is useful for debugging and writing my own profiles, but it won't be as useful when partially broken profile is coming from package, because any user-modifications will be over-written after package updates.
-- With kindest regards, Alexander. ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org ⠈⠳⣄⠀⠀⠀⠀
