Re: [PATCH] apparmor: Add support for local profile customizations

Hello, Am Dienstag, 27. Juni 2023, 18:49:04 CEST schrieb Andrea Bolognani: > On Mon, Jun 26, 2023 at 10:46:40PM +0200, Christian Boltz wrote: [...] > > See above - IMHO the current upstream behaviour is not perfect, and > > will hopefully change to not creating the local/ files by

Re: [PATCH V2 0/3] apparmor: Add support for local profile customizations

5 apparmor.d for details. (Since this is unrelated to local/, adding the abi lines should probably be a separate patch.) Regards, Christian Boltz [1] unrelated to AppArmor -- File Not Found.Loading something that looks similar signature.asc Description: This is a digitally signed message part.

Re: [PATCH] apparmor: Add support for local profile customizations

stream > AppArmor does for its own profiles and abstractions. See above - IMHO the current upstream behaviour is not perfect, and will hopefully change to not creating the local/ files by default in 4.0. Regards, Christian Boltz -- Social Media News: Instagram is down Science News: Scienti

Re: [PATCH V3 1/2] Apparmor: Add profile for virtqemud

set=term (keeping the parenthesis for consistency with other rules is also fine) There are several signal rules with superfluous quotes in this patch, and also one in the 2/2 patch. (There's no need to re-send the patch for such a minor change IMHO.) Regards, Christian Boltz -- I

Re: [PATCH V2 0/4] Apparmor: Add profiles for hypervisor daemons

and Ubuntu kernels support all rule types. Older AppArmor versions will ignore the abi line. Adding the abi rule might mean that you'll have to add some network, dbus or unix rules to the profiles, therefore please do some testing instead of blindly adding the abi rule ;-) Regards, Christia

Re: [PATCH 0/3] Apparmor: Add profiles for hypervisor daemons

rt_leaseshelper child profile and abstractions/nameservice have /etc/libnl-3/classid r, Note the slightly different path, git blame says it's a Debian path added to the profile in 2016. (I don't remember any denial for /etc/libnl/classid on openSUSE, therefore I'm not sure if we sh

Re: [PATCH 1/3] Apparmor: Add profile for virtqemud

bility ipc_lock, > + capability sys_rawio, > + capability bpf, > + capability perfmon, > + > + # Needed for vfio > + capability sys_resource, [...] Just wondering - do the new profiles (in all 3 patches) reallly need all the capabilities and the other broad rules? (See my 0/3