[PATCH] apparmor: Add support for local profile customizations
Andrea Bolognani
abologna at redhat.com
Fri Jun 23 13:11:31 UTC 2023
On Thu, Jun 22, 2023 at 03:03:56PM -0600, Jim Fehlig wrote:
> On 6/22/23 11:08, Jim Fehlig wrote:
> > On 6/22/23 08:50, Andrea Bolognani wrote:
> > > On Thu, Jun 08, 2023 at 10:37:43AM -0600, Jim Fehlig wrote:
> > > > I assumed users would make VM customizations in the per-VM profiles. And I
> > > > suppose overrides of abstractions seems a little odd to me, but that's
> > > > subjective :-). I'm fine adding it if there's agreement.
> > >
> > > The per-VM profile is generated at runtime based on the template, no?
> > > AFAIK there is no way for the admin to inject changes that affect a
> > > single VM, but I could be wrong about this.
> >
> > The per-VM profile is only generated once, right? So in theory admins
> > could amend existing per-VM profiles with custom config.
>
> While working on this I noticed there is no
> /etc/apparmor.d/local/abstractions directory on SUSE-based distros. A lot of
> packages put files in /etc/apparmor.d/local, but I couldn't find any adding
> files to /etc/apparmor.d/local/abstractions. Nor could I find any apparmor
> documentation regarding the use of that directory. Do you know if it's
> common practice? Or is that Debian patch the only prior art?
In Debian, the directory and the files within it are created as part
of the 'postinst' maintainer script. This makes some amount of sense,
as having these files managed by the package manager would kinda
defeat the purpose.
Unfortunately, it also makes it way harder to figure out whether any
packages in the archive besides libvirt are implementing this
pattern :(
I've come away empty-handed from my attempts, but I have also found a
number of references[1] to libvirt's local abstractions overrides in
other project's code and documentation, which IMO validates the idea
that such a feature is indeed useful and should be available to all
distros that use AppArmor, not just the Debian-based ones.
That said, I've also found a comment in a somewhat recent Debian
bug[2] that explains how support for this pattern comes
out-of-the-box with AppArmor 3.0, with the caveat that it expects
abstractions/foo.d/bar instead of local/abstractions/foo. Easy enough
to adopt for upstream/SUSE, though Debian will have to consider how
to carefully migrate things.
The catch is that apparently the "include if exists" statement
doesn't work well before 3.0, and our support matrix will include
distros that are still on AppArmor 2.x for a couple more years :(
However, not only you've added a few such statements in your recent
commit 9b743ee19053, but I myself have done the same a couple months
back with commit 7a39b04d683f, as part of enabling passt support. So
in a way we've already started depending on AppArmor 3.0, in open
contrast with our platform support policy.
I'm quite unclear on the best way forward :(
[1] https://github.com/search?q=%2Fetc%2Fapparmor.d%2Flocal%2Fabstractions%2F&type=code&p=2
[2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979500#10
--
Andrea Bolognani / Red Hat / Virtualization
More information about the libvir-list
mailing list