summaryrefslogtreecommitdiffstats
path: root/wiki/src/contribute/design/application_isolation.mdwn
diff options
context:
space:
mode:
Diffstat (limited to 'wiki/src/contribute/design/application_isolation.mdwn')
-rw-r--r--wiki/src/contribute/design/application_isolation.mdwn15
1 files changed, 14 insertions, 1 deletions
diff --git a/wiki/src/contribute/design/application_isolation.mdwn b/wiki/src/contribute/design/application_isolation.mdwn
index d8331de..fffe0c5 100644
--- a/wiki/src/contribute/design/application_isolation.mdwn
+++ b/wiki/src/contribute/design/application_isolation.mdwn
@@ -58,7 +58,20 @@ between an access to the upper layer, and an access to the loop-backed
underlying layer.
So, we have to adjust profiles a bit to make them support the paths
-that are actually seen by AppArmor in the context of Tails:
+that are actually seen by AppArmor in the context of Tails.
+
+First, we are using a couple of
+[aliases](http://wiki.apparmor.net/index.php/AppArmor_Core_Policy_Reference#Alias_and_rewrite_rules)
+so that rules applying to "normal" paths (e.g.
+`/home/amnesia/.gnupg/`) also apply to Debian Live -specific paths,
+such as `/lib/live/mount/overlay/home/amnesia/.gnupg/`. And, to avoid
+subsequent problems with overlapping rules, and to mitigate the
+increased policy compilation time (see details below), we also patch
+some some very broad rules to make them _not_ apply to `/lib/live/*`.
+All these changes live in
+[[!tails_gitweb config/chroot_local-patches/apparmor-aliases.diff]].
+
+Second, few more targeted adjustments are also applied:
* [[!tails_gitweb config/chroot_local-includes/etc/apparmor.d/tunables/home.d/tails]]
* [[!tails_gitweb config/chroot_local-patches/apparmor-adjust-pidgin-profile.diff]]