I would like to add a small correction here regarding the intent of man- db's AppArmor policy. The intent is _not_ to confine where the man program itself can write, as is noted in the policy itself:
# Allow basically anything in terms of file system access, subject to DAC. # The purpose of this profile isn't to confine man itself (that might be # nice in the future, but is tricky since it's quite configurable), but to # confine the processes it calls that parse untrusted data. /** mrixwlk, However, the man_groff sub-profile is more constrained, and that's used for the groff-related subprocesses that man forks. That's what's triggering denials here. In some ways I wonder if that means that the problem is a leaky abstraction of sorts. We're trying to confine man's groff-related subprocesses, but we pass through FDs to them. One possibility might be to have groff write to a pipe instead in this situation and stream it through man to the output file. Slightly less efficient, but it might not be too unreasonable. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2055402 Title: Though lintian call: error: troff: Segmentation fault To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lintian/+bug/2055402/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
