[pkg-apparmor] Bug#979500: Bug#979500: dh-apparmor: please support local includes of abstractions like "abstraction/name"
intrigeri
intrigeri at debian.org
Sat Feb 6 06:57:24 GMT 2021
Hi,
intrigeri (2021-01-08):
> Christian Boltz (2021-01-07):
>> I'd argue that this is a problem that is already solved ;-)
>>
>> Starting with AppArmor 3.0, all[1] upstream abstractions come with a
>> rule like (example taken from abstractions/base):
>>
>> include if exists <abstractions/base.d>
>>
>> so if you create that directory and place a file there, it will be
>> included by the abstraction.
>
>> [...]
>
>> For abstractions shipped by individual package (like libvirt), it would
>> also make sense to add an include if exists <abstractions/$whatever.d>
>> rule to make it easy to add something to an abstraction.
>
> I like what Christian Boltz is proposing (thanks!): as far as
> I understand, it can happen in libvirt upstream, will benefit even
> non-Debian distros, and does not require modifying dh-apparmor.
>
> Christian Ehrhardt, how does it sound? Any reason why the approach you
> initially suggested on this bug report is better?
Ping?
I'd like to add that one of the reasons for adding support for
"include if exists" in AppArmor upstream was to cancel the need for
distros to manage local override files via packaging machinery,
which long term will allow us to simplify things like dh-apparmor,
making them easier to maintain and to use :)
More information about the pkg-apparmor-team
mailing list