On 2017-12-04 21:19, Carsten Schoenert wrote:
GUI stuff where users can easily inspect the current enabled
profile
Yeah, I miss some sort of convenient auditing tool too.
If we add the now possible @{thunderbird_user_dirs} directive we need to
think about some migration scenario too. The impact on the user side and
the need to modify their rules set up for a second time must be small as
possible. And a decision based an a broader view need to take care also
about other application profiles that may need some extra rules on some
of the users side too.
I do not see the need for migration of any kind. @{thunderbird_user_dirs} will be set to @{HOME}, so _by default profile
will work the same as before_.
OP of this bug report will be able to extend this variable in `/etc/apparmor.d/local/tunables/usr.bin.thunderbird` file
by adding single line `@{thunderbird_user_dirs} += @{HOME}/Archives/`, and reloading profile. This customization point
could be documented in README.Apparmor as suggested.
As for other applications, these `local/tunables` variable files could be used for media players (or other
document-opening-applications) too, for example, to allow extending "extra_read_dirs" as /mnt, /media, /srv etc. to more
places as needed, without writing full rules in `local` file.
Libreoffice profile already uses a lot of variables, but there is no kind `local/tunables` include file used, so user
must edit main profile in order to extend, which is not OK (battle against package manager).
Currently I haven't enough time to think about all that various things
nor will I have in the next months unfortunately.
But if you all came up with a solution that will cover most of the
things I happily will trust on intrigeri to collect the right things and
push them into the thunderbird packaging.
Discussion about using AppArmor variables more as in this use case is still ongoing, and looks like there is agreement
in general from intrigeri and John Johansen, though some details needs to be resolve yet.
