[Pkg-libvirt-maintainers] Pushing Ubuntu's AppArmor-related delta into the Debian libvirt package?
Guido Günther
agx at sigxcpu.org
Tue Sep 30 17:24:18 UTC 2014
On Tue, Sep 30, 2014 at 03:29:13PM +0000, Serge Hallyn wrote:
> Quoting Felix Geyer (fgeyer at debian.org):
> > On 30.09.2014 09:51, Stefan Bader wrote:
> > > @@ -33,6 +36,12 @@
> > > network inet6 stream,
> > > network inet6 dgram,
> > > network packet dgram,
> > > + network netlink,
> > > +
> > > + dbus bus=system,
> > > + signal,
> > > + ptrace,
> > > + unix,
> > >
> > > # Very lenient profile for libvirtd since we want to first focus on confining
> > > # the guests. Guests will have a very restricted profile.
> >
> > Upstreaming these rules seems problematic to me.
> > Afaik the AppArmor 2.8 parser will throw an error when reading those.
> >
> > Is there a way to make profiles backwards compatible with regard to added confinement features?
>
> Good point. AFAIK there isn't, whic his why we have to comment those out
> in some builds. John, do you have any guidance for what we should do
> for upstream libvirt? Just comment them out with an obvious tag, i.e.
>
> # signal # SIGNAL
>
> and then distros can un-comment those lines if the feature is available?
> Is there a better way?
Can we move this over to the upstream libvirt list? I think it's of
interest to a broader audience?
Cheers,
-- Guido
More information about the Pkg-libvirt-maintainers
mailing list