Hi, Cédric Bosdonnat:
This commit helps users allowing access to their images by adding their own rules in apparmor.d/local/usr.lib.libvirt.virt-aa-helper. […] profile virt-aa-helper /usr/{lib,lib64}/libvirt/virt-aa-helper { #include <abstractions/base> + #include <local/usr.lib.libvirt.virt-aa-helper>
The packaging helper we use in Debian adds exactly the same line at the *end* of the profile (and actually, at the end of almost every AppArmor profile included in Debian and derivatives); I don't know why it's added at the end and not at the beginning. I suspect Jamie will know better. If there's no strong reason to add this line in the beginning of the profile, I suggest we add it at the end instead, so we avoid changing behaviour subtly once this gets merged upstream and we drop the Debian-specific line. Other than this, ACK from me on the proposed profile modifications. I am not well placed to comment on the build system changes though. Cheers!