-
intrigeri authored
Use aliases so that our AppArmor policy applies to /lib/live/mount/overlay/ and /lib/live/mount/rootfs/filesystem.squashfs/ as well as to it applies to /. That's something I wanted to avoid initially, for various reasons that are explained already in [[contribute/design/application_isolation]]. However, now that /lib/live/mount/overlay/ is accessible, I see no better way to protect files accessed via this path as well as the same files accessed by "normal" paths. These changes are likely to increase policy compilation time a bit, benchmarking will tell. If that's too severe a problem, we have a few potential ways out, that are already documented in the "Increased policy compilation time" section of the aforementioned piece of design doc.
6e48b6d6