[Pkg-libvirt-maintainers] Pushing Ubuntu's AppArmor-related delta into the Debian libvirt package?
Serge Hallyn
serge.hallyn at ubuntu.com
Tue Sep 30 15:29:13 UTC 2014
Quoting Felix Geyer (fgeyer at debian.org):
> On 30.09.2014 09:51, Stefan Bader wrote:
> > @@ -33,6 +36,12 @@
> > network inet6 stream,
> > network inet6 dgram,
> > network packet dgram,
> > + network netlink,
> > +
> > + dbus bus=system,
> > + signal,
> > + ptrace,
> > + unix,
> >
> > # Very lenient profile for libvirtd since we want to first focus on confining
> > # the guests. Guests will have a very restricted profile.
>
> Upstreaming these rules seems problematic to me.
> Afaik the AppArmor 2.8 parser will throw an error when reading those.
>
> Is there a way to make profiles backwards compatible with regard to added confinement features?
Good point. AFAIK there isn't, whic his why we have to comment those out
in some builds. John, do you have any guidance for what we should do
for upstream libvirt? Just comment them out with an obvious tag, i.e.
# signal # SIGNAL
and then distros can un-comment those lines if the feature is available?
Is there a better way?
-serge
More information about the Pkg-libvirt-maintainers
mailing list