Re: [PATCH] apparmor: Add support for local profile customizations
On 6/22/23 11:08, Jim Fehlig wrote:
On 6/22/23 08:50, Andrea Bolognani wrote:
> On Thu, Jun 08, 2023 at 10:37:43AM -0600, Jim Fehlig wrote:
>> On 6/8/23 08:11, Andrea Bolognani wrote:
>>> Note that the Debian package has included this patch[1] for many
>>> years, and while it partially overlaps with what you've added here, I
>>> see that local overrides for abstractions are missing.
>>>
>>> Is there a specific reason why you skipped them? Or should we add
>>> those too?
>>
>> I assumed users would make VM customizations in the per-VM profiles. And I
>> suppose overrides of abstractions seems a little odd to me, but that's
>> subjective :-). I'm fine adding it if there's agreement.
>
> The per-VM profile is generated at runtime based on the template, no?
> AFAIK there is no way for the admin to inject changes that affect a
> single VM, but I could be wrong about this.
The per-VM profile is only generated once, right? So in theory admins could
amend existing per-VM profiles with custom config.
> Anyway, there might be some changes that are local only but apply to
> all VMs, and allowing overrides to the abstractions would cater to
> that use case, so it makes sense to me to implement those as well.
>
> Do you mind cooking up a patch so that we can have the whole sha-bang
> included in the upcoming release? Thanks in advance!
I should have time to do that today.
While working on this I noticed there is no /etc/apparmor.d/local/abstractions
directory on SUSE-based distros. A lot of packages put files in
/etc/apparmor.d/local, but I couldn't find any adding files to
/etc/apparmor.d/local/abstractions. Nor could I find any apparmor documentation
regarding the use of that directory. Do you know if it's common practice? Or is
that Debian patch the only prior art?
I can continue working on the patch, but I'm not sure I want it downstream and
will likely revert it anyway.
Regards,
Jim