On 6/22/23 11:08, Jim Fehlig wrote:
On 6/22/23 08:50, Andrea Bolognani wrote:
On Thu, Jun 08, 2023 at 10:37:43AM -0600, Jim Fehlig wrote:
On 6/8/23 08:11, Andrea Bolognani wrote:
Note that the Debian package has included this patch[1] for many
years, and while it partially overlaps with what you've added here, I
see that local overrides for abstractions are missing.
Is there a specific reason why you skipped them? Or should we add
those too?
I assumed users would make VM customizations in the per-VM profiles. And I
suppose overrides of abstractions seems a little odd to me, but that's
subjective :-). I'm fine adding it if there's agreement.
The per-VM profile is generated at runtime based on the template, no?
AFAIK there is no way for the admin to inject changes that affect a
single VM, but I could be wrong about this.
The per-VM profile is only generated once, right? So in theory admins could
amend existing per-VM profiles with custom config.
Anyway, there might be some changes that are local only but apply to
all VMs, and allowing overrides to the abstractions would cater to
that use case, so it makes sense to me to implement those as well.
Do you mind cooking up a patch so that we can have the whole sha-bang
included in the upcoming release? Thanks in advance!
I should have time to do that today.
While working on this I noticed there is no /etc/apparmor.d/local/abstractions
directory on SUSE-based distros. A lot of packages put files in
/etc/apparmor.d/local, but I couldn't find any adding files to
/etc/apparmor.d/local/abstractions. Nor could I find any apparmor documentation
regarding the use of that directory. Do you know if it's common practice? Or is
that Debian patch the only prior art?
I can continue working on the patch, but I'm not sure I want it downstream and
will likely revert it anyway.
Regards,
Jim