Join GitHub today
GitHub is home to over 20 million developers working together to host and review code, manage projects, and build software together.
Allow snap-confine to be confined even with --disable-apparmor #3760
Conversation
Some checks were not successful
|
I believe #3814 is a superset of the idea. |
|
Yep, agreed, looking forward to being able to delete this bit of delta :) |
mwhudson
closed this
Aug 28, 2017
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
mwhudson commentedAug 17, 2017
--disable-apparmor is used on Debian because Debian's kernel does not (yet)
support all the apparmor features required to run snaps confined, so all snaps
run in devmode. That does not mean it is not possible or useful to use apparmor
to confine snap-confine itself, though, so change the Makefile.am to still
create a profile for snap-confine even when --disable-apparmor is passed. The
profile has to be a bit more permissive to make this work, so convert
snap-confine.apparmor.in to m4 to conditionally add the extra rules.