Re: [PATCH] apparmor: Add support for local profile customizations

On Tue, Jun 06, 2023 at 04:06:12PM -0600, Jim Fehlig wrote: > Apparmor profiles in /etc/apparmor.d/ are config files that can and should > be replaced on package upgrade, which introduces the potential to overwrite > any local changes. Apparmor supports local profile customizations via > /etc/apparmor.d/local/<service> [1]. > > This change makes the support explicit by adding libvirtd, virtqemud, and > virtxend profile customization stubs to /etc/apparmor.d/local/. The stubs > are conditionally included by the corresponding main profiles. > > [1] https://ubuntu.com/server/docs/security-apparmor > See "Profile customization" section > > Signed-off-by: Jim Fehlig <jfehlig(a)suse.com&gt; > --- > > This patch was inspired by an internal bug report. The SUSE libvirt package > has marked /etc/apparmor.d/<some-libvirt-service> profiles as > 'config(noreplace)' for as long as I can remember. On rare occasions a > profile receives a change that is required to avoid regression. And on rarer > occasions a user might have made local customizations to the profile. With > 'noreplace', the trap is set for the user to experience the regression. > > Unless other apparmor users convince me otherwise, I'm planning to make > this change in the SUSE package, along with changing the main > /etc/apparmor.d/ profiles to 'config' and using 'config(noreplace)' for the > local customizations only. > > Note: I'm fine keeping this as a downstream-only patch if upstream isn't > interested in the clutter. I think this is a good change. Note that the Debian package has included this patch[1] for many years, and while it partially overlaps with what you've added here, I see that local overrides for abstractions are missing. Is there a specific reason why you skipped them? Or should we add those too?