On Wed, Jun 28, 2023 at 05:15:26PM -0600, Jim Fehlig wrote: > This is a stab at a V2 of > > https://listman.redhat.com/archives/libvir-list/2023-June/240219.html > > That patch was ACKed and committed, but reverted before the 9.5.0 release > since it could be problematic with older apparmor 2.x versions still > supported by libvirt. > > Andrea suggested copies of the profiles for apparmor 2.x and 3.x. This > series takes that approach, with patch 1 making an identical copy of the > src/security/apparmor directory. Patches 2 and 3 then adjust the profiles > accordingly. > > My approach to copying the existing directory does introduce some duplicate > files in the tree, but otherwise it's minimally disruptive and will be easy > to rip out when upstream libvirt no longer needs to support apparmor 2.x. > > FYI, so far I've only tested with apparmor 3.x, but I did push the changes > to my fork with CI enabled > > https://gitlab.com/jfehlig/libvirt/-/pipelines/915347878 > > Thanks for comments/suggestions! > > Jim Fehlig (3): > apparmor: Create version specific apparmor profiles > apparmor: Remove support for passt from apparmor 2.x > apparmor: Add support for local profile customizations
I'm not a fan of this approach. It introduces a lot of duplication for what are ultimately just a dozen or so lines that need to be different between the 2.x and 3.x profiles; most importantly, I'm very concerned about the two copies accidentally drifting apart over the ~2 years that separate us from the joyous day when we can finally stop caring about 2.x. Please have a look at my attempt: https://listman.redhat.com/archives/libvir-list/2023-June/240544.html -- Andrea Bolognani / Red Hat / Virtualization
