As per the discussion in https://irclogs.ubuntu.com/2024/07/09/%23ubuntu-security.txt
The recommendation from the security team is to not revert to the "flags=(unconfined)" profile if the profile is already confined. That means that we should only fix the multiarch issue.
Scarlett, you're right, just adding the variable @{multiarch} directly does not work in this case, because due to how the parser is currently implemented, @{multiarch} translates to *-linux-gnu* and the wildcard makes it conflict with the "/** pux," rule. That's the reason that it's hard coded in the plasmashell profile as well. We are currently working on fixing it in the parser but it's not available right now.
So for this case, we would have to add the other arch hard coded too. Something like the following diff, for every architecture we want to support.
As per the discussion in https:/ /irclogs. ubuntu. com/2024/ 07/09/% 23ubuntu- security. txt (unconfined) " profile if the profile is already confined. That means that we should only fix the multiarch issue.
The recommendation from the security team is to not revert to the "flags=
Scarlett, you're right, just adding the variable @{multiarch} directly does not work in this case, because due to how the parser is currently implemented, @{multiarch} translates to *-linux-gnu* and the wildcard makes it conflict with the "/** pux," rule. That's the reason that it's hard coded in the plasmashell profile as well. We are currently working on fixing it in the parser but it's not available right now.
So for this case, we would have to add the other arch hard coded too. Something like the following diff, for every architecture we want to support.
@@ -18,6 +18,7 @@
ptrace,
/usr/ lib/x86_ 64-linux- gnu/qt5/ libexec/ QtWebEngineProc ess cx -> &plasmashell/ /QtWebEnginePro cess, aarch64- linux-gnu/ qt5/libexec/ QtWebEngineProc ess cx -> &plasmashell/ /QtWebEnginePro cess,
+ /usr/lib/
/** pux,
/{,**} mrwlk,
Regarding dbus being denied, could you point those reports my way? I'm more than happy to help