Allow users to override individual snap AppArmor profiles
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
snapd |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
It would be very useful if users (of snap'd applications) could modify the specific AppArmor profiles of those snaps, perhaps something along the lines of:
#include /etc/apparmor.
at the end of each snap profile.
One example use case is fine-tuning what individual snaps with, say, home interface enabled, can really access and in what way, in the user's home directory. Or narrowing down a generic profile for instance, blocking access to CUPS on systems with no printers.
For example, for non-snap'd Chromium and Firefox I block all access to any file inside ~/ except those minimally required to function (eg. profile/cache dirs in ~/.config, or ~/.local/...) and a select directory to read-write files transferred to and from the net. Also deny any execution inside directories that are writeable.
At any rate, the idea is to allow easy customization of snap AppArmor policies by the user.
Changed in snapd: | |
importance: | Undecided → Wishlist |
status: | New → Triaged |