New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AppArmor Profiles for Electrum Tarball and AppImage #9003
Conversation
Could you please provide some context what this is, and how it is supposed to be used? |
AppArmor is a Mandatory Access Control (MAC) system which confines programs to a limited set of resources. AppArmor confinement is provided via profiles loaded into the kernel. |
I see. Thanks. Is this something that an "upstream" project should provide (e.g. are these files Linux distribution agnostic)? Do you perhaps have examples of other projects that do so? |
include <abstractions/openssl> | ||
include <abstractions/vulkan> | ||
include <abstractions/python> | ||
include <abstractions/evince> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How is evince related? Is it because of the menu option to open bitcoin.pdf?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes! using evince
, we can view the bitcoin.pdf.
Additionally, xdg-open
enables us to open the Report bug
link.
The inclusion of the browser imports ubuntu-browsers
and snap_browsers
facilitates the opening of browser links like Documentation and Official website
. However, for opening the Report bug
link, xdg-open
is still required.
Debian, Ubuntu & OpenSUSE derivatives, come preconfigured with AppArmor as the default, so it should be ready to use for these |
include <abstractions/ubuntu-browsers> | ||
include <abstractions/snap_browsers> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about when not using Ubuntu, but instead e.g. Debian?
Are these defined on Debian? Or how do these includes work -- is not finding one of these a hard error or just a warning/silent ignore?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, they are configured on Debian (I tested on Debian 12 and also Kali). All the profiles are predefined, and if one is missing, AppArmor produces a hard error.
We can also set them as include if exists
(last four) , as they are only needed by the help tab and don't cause any hard errors if blocked.
The strange thing I noticed is that Kali
didn't come with the evince profile
, but this was because evince
wasn't installed, after installing the profile was installed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can also set them as
include if exists
(last four) , as they are only needed by the help tab and don't cause any hard errors if blocked.
I think we should that do then, yes.
The strange thing I noticed is that Kali didn't come with the evince profile, but this was because evince wasn't installed, after installing the profile was installed.
It also does not make sense to tie us to a specific PDF reader program.
Specifically about evince, is it even installed if you choose a different DE than GNOME? E.g. if you install debian with KDE? Anyway, best not require it.
Could you add a short readme file (in same folder) saying what this is and how to use/test it? |
AppArmor Profiles for Electrum
Alright! Added the Readme |
Looks good. Thanks. |
Thank you for the quick feedback. I'll continue testing the profiles on various OSs in the coming weeks |
No description provided.