The 'm' permission shouldn't be a default; restricting what the CPU will execute is a very useful security mitigation.
Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2058690 Title: aa-easyprof: allow mmap and link from easyprof generated profiles Status in apparmor package in Ubuntu: New Bug description: Currently, an easyprof-generated profile will list the reads with `rk` and the writes as `rwk`. With recent Qt, this breaks because newer Qt versions use hard-linking of temporary files to perform atomic writes. Also, `rk` doesn't allow mmap()'ing shared library for execution. We at UBports are carrying a patch in Ubuntu Touch which changes the read rules to `mrk` and write rules to `mrwkl`, and are upstreaming this patch at [1]. When the MR is merged, I would like this patch to be included in Ubuntu 24.04, so that Ubuntu Touch doesn't have to package AppArmor separately from Ubuntu. If we agree that we want this patch, I can provide an MR on Salsa. [1] https://gitlab.com/apparmor/apparmor/-/merge_requests/1189 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2058690/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
