On 2017-11-24 02:58 AM, intrigeri wrote: > Simon Deziel: >> On Tue, 21 Nov 2017 14:58:38 +0000 George Dunlap <dunl...@umich.edu> wrote: >>> Not sure how the AppArmor stuff works -- would it be possible to >>> restrict the profile directory *after* reading profile.ini, so you >>> know where the actual profile lives? > >> That would certainly be a good idea but would require upstream efforts >> to support Apparmor properly. > > Right. libvirt-daemon does exactly that, but note that loading > AppArmor policy into the kernel requires root.
Right, I was thinking of hat changing or switching to a child profile but that's wrong because it would be an entirely new profile tailored to the profile.ini. Thanks for the clarification.
signature.asc
Description: OpenPGP digital signature