doc: update documentation.
This commit is contained in:
Alexandre Pujol
parent
d86cf03dab
commit
c7177eedde
2 changed files with 22 additions and 17 deletions
|
|
@ -217,6 +217,14 @@ Minimal set of rules for sandboxed programs using `bwrap`. A profile using this
|
|||
|
||||
A minimal set of rules for chromium based application. Handle access for internal sandbox.
|
||||
|
||||
It works as a *function* and requires some variables to be provided as *arguments* and set in the header of the calling profile:
|
||||
|
||||
!!! note ""
|
||||
|
||||
[apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/steam/steam#L24-L25)
|
||||
``` sh linenums="24"
|
||||
@{domain} = org.chromium.Chromium
|
||||
```
|
||||
|
||||
### **`common/electron`**
|
||||
|
||||
|
|
@ -227,6 +235,7 @@ A minimal set of rules for all electron based UI applications. It works as a *fu
|
|||
[apparmor.d/profile-s-z/spotify](https://github.com/roddhjav/apparmor.d/blob/7d1380530aa56f31589ccc6a360a8144f3601731/apparmor.d/profiles-s-z/spotify#L10-L13)
|
||||
``` sh linenums="10"
|
||||
@{name} = spotify
|
||||
@{domain} = org.chromium.Chromium
|
||||
@{lib_dirs} = /opt/@{name}
|
||||
@{config_dirs} = @{user_config_dirs}/@{name}
|
||||
@{cache_dirs} = @{user_cache_dirs}/@{name}
|
||||
|
|
|
|||
|
|
@ -6,6 +6,19 @@ title: Known issues
|
|||
|
||||
Known bugs are tracked on the meta issue **[#75](https://github.com/roddhjav/apparmor.d/issues/74)**.
|
||||
|
||||
## Ubuntu
|
||||
|
||||
### Dbus
|
||||
|
||||
Ubuntu fully supports dbus mediation with apparmor. If it is a value added by Ubuntu from other distributions, it can also lead to some breakage if you enforce some profiles. *Do not enforce the rules on Ubuntu Desktop.*
|
||||
|
||||
Note: Ubuntu server has been more tested and will work without issues with enforced rules.
|
||||
|
||||
### Snap
|
||||
|
||||
Apparmor.d needs to be fully integrated with snap, otherwise your snap applications may not work properly. As of today, it is a work in progress.
|
||||
|
||||
|
||||
## Complain mode
|
||||
|
||||
A profile in *complain* mode cannot break the program it confines. However, there are some **major exceptions**:
|
||||
|
|
@ -14,20 +27,3 @@ A profile in *complain* mode cannot break the program it confines. However, ther
|
|||
2. `attach_disconnected` (and `mediate_deleted`) will break the program if they are required and missing in the profile,
|
||||
3. If AppArmor does not find the profile to transition `rPx`.
|
||||
|
||||
## Pacman "could not get current working directory"
|
||||
|
||||
```sh
|
||||
$ sudo pacman -Syu
|
||||
...
|
||||
error: could not get current working directory
|
||||
:: Processing package changes...
|
||||
...
|
||||
```
|
||||
|
||||
This is **a feature, not a bug!** It can safely be ignored. Pacman tries to get your current directory. You will only get this error when you run pacman in your home directory.
|
||||
|
||||
According to the Arch Linux guideline, on Arch Linux, packages cannot install files under `/home/`. Therefore, the [`pacman`][pacman] profile purposely does not allow access of your home directory.
|
||||
|
||||
This provides a basic protection against some packages (on the AUR) that may have rogue install script.
|
||||
|
||||
[pacman]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/pacman/pacman
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue