Hi,
intrigeri:
> I'm working on #5525 ("Sandbox the web browser"), and have an AppArmor
> profile that works locally for most basic use cases. Now, I'm
> wondering how to integrate it into Tails and I need your input.
>
> This profile was derived from the one I've worked a lot on for
> torbrowser-launcher (https://micahflee.com/torbrowser-launcher/).
>
> I think we have two solutions:
>
> 1. Download "upstream" profile and apply Tails-specific patch at
> ISO build time
[..snip]
> #1 has the advantages that we get upstream improvements for free,
> and we're forced to track upstream, and to adjust our own patch
> whenever needed: otherwise, Tails ISO build fails.
[..snip]
> From my point of view, #1 feels cleaner: it forces us to do the right
> thing wrt. upstream, and it fails earlier (at build time). However,
> I see how it can be annoying to see the build suddenly start failing,
> if only few of us feel comfortable updating our profile delta.
> These disadvantages are slightly mitigated, though:
[..snip]
> => I'm in favor of #1.
Me too.
Indeed, as I am co-maintaining torbrowser-launcher in Debian and work on
AppArmor a lot these days, I can commit to track changes to the upstream
profile.
Do you want to point me at the Tails-specific patch so I can see what we
are talking about?
Anything else i should know or do?
For people who want to know more about AppArmor.. there is now already
better documentation on
https://wiki.debian.org/AppArmor, and more to come.
Cheers!
u.
