[PATCH] apparmor: Add support for local profile customizations
Jim Fehlig
jfehlig at suse.com
Mon Jun 26 15:42:32 UTC 2023
On 6/26/23 03:52, Andrea Bolognani wrote:
> On Fri, Jun 23, 2023 at 11:31:04AM -0600, Jim Fehlig wrote:
>> On 6/23/23 07:11, Andrea Bolognani wrote:
>>> However, not only you've added a few such statements in your recent
>>> commit 9b743ee19053, but I myself have done the same a couple months
>>> back with commit 7a39b04d683f, as part of enabling passt support. So
>>> in a way we've already started depending on AppArmor 3.0, in open
>>> contrast with our platform support policy.
>>>
>>> I'm quite unclear on the best way forward :(
>>
>> I'd prefer to defer support for local customizations of abstractions until
>> upstream libvirt can support apparmor >= 3.0. In the meantime commit
>> 9b743ee19053 can be changed to 'include <local/foo>' since we provide
>> local/foo. We'd need to drop the include entirely from your commit, and
>> again defer until upstream supports apparmor >= 3.0.
>
> The problem is that passt support won't work if the abstraction is
> not included, and we can't make the include unconditional in that
> case. So we'd effectively have to wait two more years to make passt
> work with AppArmor, which I don't think is acceptable.
>
> My best idea at the moment is to make a second copy of the AppArmor
> profiles targeting 2.x specifically, with a reduced feature set: no
> passt, no local overrides for abstractions. At build time, we can
> decide which version of the profiles to install based on the AppArmor
> version detected on the system.
Specifying which copy to use via a build time option is also an option :-).
Does your idea include preserving commit 9b743ee19053 and adjusting the 'include
if exists' to 'include'?
> It wouldn't be pretty, but it would get us out of the current
> situation without modern distros having to sacrifice anything and
> without causing issues for older distros. In two years, we can drop
> the additional stuff and go back to a more sane state.
>
> What do you think?
As you say, it's not pretty, but I don't have any better ideas. Perhaps
Christian B. can give us some hints towards a nicer solution.
@cboltz: if needed there's a bit more context a few messages up the thread
https://listman.redhat.com/archives/libvir-list/2023-June/240424.html
Regards,
Jim
More information about the libvir-list
mailing list