Re: [PATCH] apparmor: Add support for local profile customizations
On 6/26/23 14:46, Christian Boltz wrote:
[Please CC me, I'm not subscribed to the mailinglist]
Hello,
regarding the initial patch in this thread: The patch looks good and
should go upstream IMHO. (Maybe except creating the dummy local/* files
for AppArmor 3.x - see below for details.)
A note about what you mentioned in the patch comment:
If someone uses aa-logprof to update a profile, it will modify the
profile, _not_ the local/ file. (Changing that is on the TODO list, but so
far nobody did it.)
Therefore I'm not sure if switching from %config(noreplace) to %config is
a good idea.
Hmm. The impetus for that change was a scenario where a new rule in the libvirtd
profile was needed for correct VM operation, but the updated profile was not
replaced due to local edits. It seems either approach will eventually result in
bug reports :-(.
Regards,
Jim