Prevent spawning Unsafe Browser from main apps
As per !956 (comment 198972) , some apps (LibreOffice for sure; Thunderbird has not been tested) can spawn Unsafe Browser. This is a security problem that can lead to deanonymization, e.g. via the accessibility bus (if enabled).
Improving the AppArmor profile should be enough.
But we've tought of a more elegant and possibly more maintainable approach on !989. The last plan there is an allow-list approach, that does not need AppArmor 3.0, that is safe vs. PID cycles, and does not require hardening AppArmor profiles for risky apps:
- Scrap most of the !989 branch
- Run GNOME Shell and TCA portal under almost-dummy AppArmor profiles, that:
- allow everything
- when executing Unsafe Browser, transition to a specific AppArmor profile (not the one that it would get by default if I started Unsafe Browser in a Terminal)
- Unsafe Browser script: abort unless running under this specific AppArmor profile
- AppArmor policy: by default, don't apply any profile to the Unsafe Browser
- Only root can run a program under an AppArmor profile of their choice, so this should be safe.