[pkg-lxc-devel] Bug#916639: LXC AppArmor confinement breaks systemd v240

[Wolfgang Bumiller]

> On January 13, 2019 at 11:40 AM intrigeri <intrigeri at debian.org> wrote:
> 
> 
> Hi Christian,
> 
> Christian Brauner:
> > Did you backport the new config keys as well?
> > If so we can't carry that version upstream.
> > Since this would be a feature release.
> > If you only backported the internal profile changes than we can
> > carry it upstream and you should send your patch.
> 
> I've backported e6ec0a9, e7311a84 and 1800f92. This indeed includes
> the copy of lxd's apparmor profile generation and thus the new config
> keys. I *think* I've initially tried backporting only the policy
> changes but that was not sufficient. But I might have skipped this
> step, I can't recall.

The thing is, systemd may get more possible mount flag combinations
in the future anyway, so the policy changes won't be enough for long.
(There already seem to be some services which want 'strictatime' which
effectively means re-doubling those rules with 'strictatime'.
Considering there are a bunch more flags which theoretically could be used
and which would theoretically be acceptable from the (think: noatime,
nodiratime, relatime, sync/async, perhaps even mand, unbindable, verbose)
adding all possible combinations seems rather silly and I'd much rather
have apparmor provide a way to have optional flags.
There's currently no way to express a mount rule with "at least
`ro,remount,bind` *together* with any combination of
`nosuid,nodev,noexec,strictatime,sync,...` on a single line...