Re: [Tails-ux] Tightening a bit the Evince and Totem AppArmo…

Delete this message

Reply to this message
Author: intrigeri
Date:  
To: Tails user experience & user interface design
Subject: Re: [Tails-ux] Tightening a bit the Evince and Totem AppArmor policy
Hi,

sajolida wrote (10 Jun 2015 11:07:18 GMT) :
> The unencrypted version is in
> /run/shm/keyringer.amnesia/up8yyOS6A6.open.credentials.


OK, so it's easy to allow access there => adding to the blueprint, yay.

Also, this looks safe to me (wrt. the "world-writable directory" issue
I previously mentioned).

Thanks!

> For more info, please try for example `keyringer internal open
> credentials` yourself.


<meta> Well, I'm afraid I have to say no here, for my own sake.
That's a niche use case (you may want to remember why this feature was
added in the first place, and wonder how many people are aware of it,
let alone use it; hint: I don't). In this kind of situation, what
I definitely volunteer for is to translate into AppArmor rules
whatever exact file access I'm told is needed, but I am *not*
volunteering to do the initial research myself. I know such
a statement may seem ridiculous this time, given how easy to test it
looks like, but I feel the need to draw the line somewhere, because if
I don't do that, I'm afraid (possibly irrationally) that more and more
similar responsibilities will be put on my shoulders because oh well,
is has something to do with AppArmor. Thanks in advance for your
understanding :)

Cheers!
--
intrigeri