Alex
Alex
Nice work, I will have a look at it... (and take inspiration too...) Btw, you might have seen, they have been some progress regarding dbus rules...
Well. `@{MOUNTS}` is already `@{MOUNTDIRS}/*/` and `@{MOUNTDIRS}` is `/media/ @{run}/media/ /mnt/`. This has been done to handle this kind of setup. I guess here we need something like `@{MOUNTS}=@{MOUNTDIRS}/*{,/*}/`
I am still working on the formalization of the threat model. However, I presented a wide overview of the security model at my talk at the LSS (see slide 6...
> Any unfiltered access to IPC services like dbus, X11 or write permissions in @HOME (with access to configuration files). Terminal device files are also an issue. I'm certain there...
Regarding you **POC**, this is a concern, obviously. However: - The only real solution is not to use Xorg any more, and it has nothing to do with apparmor. As...
> A possible solution could be to allow only connections to the wayland socket and to block xwayland when it is not absolutely required. (which would remove support for all...
Can you provide the result of `aa-log nautilus` (you might need sudo, depending of your setup)
Regardless of the AppArmor mode (complain or enforced) if AppArmor block something that will be present in the log (`/var/log/audit/audit.log`). Can you ensure you have [audit](https://wiki.archlinux.org/title/Audit_framework) installed and enabled?
Thanks. That help. It seems your audit log is getting a lot of stuff from AA. If they are different from the first one, can you also provide the result...
The issue with gvfs should be fixed now. So AA should complain far less. This will allow you to actually see the relevant error messages.