mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-04 08:24:42 +01:00
Merge profiles: add nautilus unconfined profile
Nautilus uses user namespaces to load thumbnails, hence it needs an unconfined profile when user namespaces are restricted from unconfined like other applications in MR #1123 Although nautilus has extensions that would allow opening a terminal from the nautilus interface, they do not inherit nautilus' AppArmor label, therefore the use of unconfined does not allow arbitrary use of unprivileged user namespaces using the nautilus label. https://gitlab.com/apparmor/apparmor/-/merge_requests/1123 In addition this serves as a handle to uniquely identify them instead of unconfined to peers in policy. Note that unconfined mode should be changed for default_allow when https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged. Fixes: https://bugs.launchpad.net/bugs/2047256 Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1161 Approved-by: John Johansen <john@jjmx.net> Merged-by: John Johansen <john@jjmx.net>
This commit is contained in:
John Johansen
commit
a2da64304f
1 changed files with 12 additions and 0 deletions
12
profiles/apparmor.d/nautilus
Normal file
12
profiles/apparmor.d/nautilus
Normal file
|
|
@ -0,0 +1,12 @@
|
|||
# This profile allows everything and only exists to give the
|
||||
# application a name instead of having the label "unconfined"
|
||||
|
||||
abi <abi/4.0>,
|
||||
include <tunables/global>
|
||||
|
||||
profile nautilus /usr/bin/nautilus flags=(unconfined) {
|
||||
userns,
|
||||
|
||||
# Site-specific additions and overrides. See local/README for details.
|
||||
include if exists <local/nautilus>
|
||||
}
|
||||
Loading…
Add table
Reference in a new issue