Draft: apparmor: First shot at MAC profile (!28) · Merge requests · UBports / Development / Core / click

Alfred Neumayer requested to merge personal/fredldotme/apparmorprofile into main Mar 07, 2023

This MR sets up an AppArmor profile for the environment that is running during installation of click packages. It focuses on /usr/bin/click specifically and all the subprocesses' requirements for successfully installing packages, updating and deleting them, whether through the OpenStore, clickable or through the File Manager app.

Among the processes spotted spawned as part of the whole installation process:

debsign-verify
dpkg
various click hooks

Due to this setup we have to give access to a few directories we might otherwise give no access to. It still enhances security greatly though as most directories are set into a read-only permission mode, and might even deny read-permission altogether.

Edited Mar 07, 2023 by Alfred Neumayer

Draft: apparmor: First shot at MAC profile

Merge request reports