Re: [libvirt] [PATCH/RFC] Add missing delta from Ubuntu to apparmor profiles

This had been on the Debian package list before but its time to take this onwards. So the goal would be to have one set to rule them all (when using apparmor) and drop the seperate set of definitions which exist at least in the Ubuntu packaging. Right now the patch would be at a state which adds all missing files and rules to the current examples in libvirt and installs them when using --with-apparmor-profiles. One problem seems to be that some of the definitions might cause parse failures on certain versions of apparmor. I checked this morning and this looks a bit hairy. So some apparmor 2.8 versions potentially have issues, but not all apparmor 2.8 are the same (gah).

I could imagine (but John, we really could use some guidance here ;)) that at least some changes could be related to version 2.8.95~2430: + debian/patches/mediate-signals.patch, debian/patches/change-signal-syntax.patch: Parse signal rules with apparmor_parser. See the apparmor.d(5) man page for syntax details. + debian/patches/change-ptrace-syntax.patch, debian/patches/mediate-ptrace.patch: Parse ptrace rules with apparmor_parser. See the apparmor.d(5) man page for syntax details. But, regardless of the when, the apparmor rules maybe need a way to handle versioned features of the parser. One proposal was to comment out problematic rules and allow the packager to re-enable things. Maybe going one step further and have some pre-processing that handles version based sections (like #if (APPARMOR_VERSION >= xxx)).