On 6/29/23 07:21, Andrea Bolognani wrote:
On Wed, Jun 28, 2023 at 05:15:26PM -0600, Jim Fehlig wrote:
> This is a stab at a V2 of
>
>
https://listman.redhat.com/archives/libvir-list/2023-June/240219.html
>
> That patch was ACKed and committed, but reverted before the 9.5.0 release
> since it could be problematic with older apparmor 2.x versions still
> supported by libvirt.
>
> Andrea suggested copies of the profiles for apparmor 2.x and 3.x. This
> series takes that approach, with patch 1 making an identical copy of the
> src/security/apparmor directory. Patches 2 and 3 then adjust the profiles
> accordingly.
>
> My approach to copying the existing directory does introduce some duplicate
> files in the tree, but otherwise it's minimally disruptive and will be easy
> to rip out when upstream libvirt no longer needs to support apparmor 2.x.
>
> FYI, so far I've only tested with apparmor 3.x, but I did push the changes
> to my fork with CI enabled
>
>
https://gitlab.com/jfehlig/libvirt/-/pipelines/915347878
>
> Thanks for comments/suggestions!
>
> Jim Fehlig (3):
> apparmor: Create version specific apparmor profiles
> apparmor: Remove support for passt from apparmor 2.x
> apparmor: Add support for local profile customizations
I'm not a fan of this approach. It introduces a lot of duplication
for what are ultimately just a dozen or so lines that need to be
different between the 2.x and 3.x profiles; most importantly, I'm
very concerned about the two copies accidentally drifting apart over
the ~2 years that separate us from the joyous day when we can finally
stop caring about 2.x.
Please have a look at my attempt:
https://listman.redhat.com/archives/libvir-list/2023-June/240544.html
I was going down the same path until I thought of the more brute force approach,
which I admit to be fond of due to ease of ripping out the 2.x stuff when no
longer needed. But yeah, two copies of the profiles is not nice.
I'll take a closer look at your patches now.
Regards,
Jim