Merge add element-desktop unconfined profile

element-desktop needs to use user namespaces, hence it needs an unconfined profile when user namespaces are restricted from unconfined like other applications in MR #1123 !1123 In addition this serves as a handle to uniquely identify them instead of unconfined to peers in policy. Note that unconfined mode should be changed for default_allow when !1109 is merged. MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/1150 Approved-by: Georgia Garcia <georgia.garcia@canonical.com> Merged-by: Georgia Garcia <georgia.garcia@canonical.com>
2025-08-31 06:16:03 +00:00 · 2024-02-20 12:38:27 +00:00
parent ca3afe1691 fd25954c56
commit 32bba24468
1 changed files with 12 additions and 0 deletions
--- a/profiles/apparmor.d/element-desktop
+++ b/profiles/apparmor.d/element-desktop
@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile element-desktop /opt/Element/element-desktop flags=(unconfined) {
+  userns,
+
+# Site-specific additions and overrides. See local/README for details.
+  include if exists <local/element-desktop>
+}