On 03.12.2017 02:57, Ben Caradoc-Davies wrote:
On 02/12/17 23:43, Alexander V. Makartsev wrote:
Now, when I hit this buggy profile problem, I'm thinking about how to
deal with these problems in the future for other applications.
After consulting AppArmor manual I have not found any reference about
how to override AppArmor profile.
All profiles are placed in "/etc/apparmor.d/" and that is it, so the
only options are either disable misbehaving AppArmor profile or modify
it which is bad option because this is package shipped profile.
For an example, systemd unit-files could be easily overridden without
resorting to modification of package shipped unit-files.
I this possible for AppArmor?

Yes, there is aa-complain in the apparmor-utils packages, but this was itself buggy when I used it for thunderbird:

If I understood this correctly, aa-complain will only switch profile to "complain mode"(log, but don't block). This is effectively the same as disabling the profile, which is not a good solution.
"aa-complain" is useful for debugging and writing my own profiles, but it won't be as useful when partially broken profile is coming from package, because any user-modifications will be over-written after package updates.

