Comment 3 for bug 1773223

This is going to be a bit tricky.

The intent of the AppArmor confinement we do is to leave /usr/bin/man itself mostly unconfined, but apply rather stricter confinement to groff-related subprocesses and decompression filters. It's easy enough to allow /usr/bin/man itself to read from the network (although it seems unfortunate that network filesystems require this; that ought to be an implementation detail). However, at the moment we have to allow decompression filters to have filesystem read access because AppArmor revalidates inherited file descriptors (which also seems an unfortunate behaviour to me), and I really don't want to grant decompressors the ability to talk to the network.

What I think we need to do is to launder the input data through the internal equivalent of a "cat" pipe before sending it to the decompressor, just to stop AppArmor from doing its annoying revalidation thing (ideally we'd only do this if AppArmor confinement is in effect, but that's an optimisation and isn't required). It would then be possible to tweak the /usr/bin/man profile and fix this bug.