[PATCH] apparmor: Add support for local profile customizations

[Andrea Bolognani]

On Thu, Jun 08, 2023 at 10:37:43AM -0600, Jim Fehlig wrote:
> On 6/8/23 08:11, Andrea Bolognani wrote:
> > Note that the Debian package has included this patch[1] for many
> > years, and while it partially overlaps with what you've added here, I
> > see that local overrides for abstractions are missing.
> >
> > Is there a specific reason why you skipped them? Or should we add
> > those too?
>
> I assumed users would make VM customizations in the per-VM profiles. And I
> suppose overrides of abstractions seems a little odd to me, but that's
> subjective :-). I'm fine adding it if there's agreement.

The per-VM profile is generated at runtime based on the template, no?
AFAIK there is no way for the admin to inject changes that affect a
single VM, but I could be wrong about this.

Anyway, there might be some changes that are local only but apply to
all VMs, and allowing overrides to the abstractions would cater to
that use case, so it makes sense to me to implement those as well.

Do you mind cooking up a patch so that we can have the whole sha-bang
included in the upcoming release? Thanks in advance!

-- 
Andrea Bolognani / Red Hat / Virtualization