Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

On Wed, Oct 01, 2014 at 10:30:58AM +0200, Stefan Bader wrote: > This had been on the Debian package list before but its time to take > this onwards. So the goal would be to have one set to rule them all > (when using apparmor) and drop the seperate set of definitions which > exist at least in the Ubuntu packaging. > > Right now the patch would be at a state which adds all missing files > and rules to the current examples in libvirt and installs them when > using --with-apparmor-profiles. > > One problem seems to be that some of the definitions might cause > parse failures on certain versions of apparmor. I checked this morning > and this looks a bit hairy. So some apparmor 2.8 versions potentially > have issues, but not all apparmor 2.8 are the same (gah). What versions of apparmour are present in the currently supported versions of Debian & Ubuntu ?

> I could imagine (but John, we really could use some guidance here ;)) > that at least some changes could be related to version 2.8.95~2430: > > + debian/patches/mediate-signals.patch, > debian/patches/change-signal-syntax.patch: Parse signal rules with > apparmor_parser. See the apparmor.d(5) man page for syntax details. > + debian/patches/change-ptrace-syntax.patch, > debian/patches/mediate-ptrace.patch: Parse ptrace rules with > apparmor_parser. See the apparmor.d(5) man page for syntax details. > > But, regardless of the when, the apparmor rules maybe need a way to handle > versioned features of the parser. One proposal was to comment out problematic > rules and allow the packager to re-enable things. Maybe going one step > further and have some pre-processing that handles version based sections > (like #if (APPARMOR_VERSION >= xxx)). I think it would be pretty reasonable to rename the files in have '.in' suffixes, and then have a build script that expands 'if APPARMOR_VERSION' conditionals to generate the final file. Regards, Daniel