Hi Christian, Christian Brauner: > Did you backport the new config keys as well? > If so we can't carry that version upstream. > Since this would be a feature release. > If you only backported the internal profile changes than we can > carry it upstream and you should send your patch.
I've backported e6ec0a9, e7311a84 and 1800f92. This indeed includes the copy of lxd's apparmor profile generation and thus the new config keys. I *think* I've initially tried backporting only the policy changes but that was not sufficient. But I might have skipped this step, I can't recall. Last time I worked on this I did not bother sending backported patches upstream for 3.0.x, because on the "[apparmor] LXC + AppArmor vs. upcoming systemd v240" thread, you said it was doable to release the branch that already has this code as stable soon. But I understand this is now unlikely so indeed, *if* the profile changes are sufficient, it would be nice to have 3.0.4 that includes them. I'm afraid I probably won't have time this month to work on this again. So ideally, someone else would try if the policy changes are enough to fix this bug, and then propose the corresponding backported patch upstream. Or the Debian LXC maintainers "just" (sic) apply my 3 backported patches. Or we disable AppArmor support for LXC in Buster (not a regression vs. Stretch but pretty sad). Cheers! -- intrigeri