[lxc-devel] [PATCH RFC] apparmor: auto-generate the blacklist rules
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Mar 27 20:05:10 UTC 2014
Quoting Stéphane Graber (stgraber at ubuntu.com):
> > +
> > if ENABLE_APPARMOR
> > -install-apparmor:
> > +install-apparmor: apparmor
> > + cat abstractions/container-base.in container-rules >> abstractions/container-base
> > $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/
> > $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
> > $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
>
> This change should be conditional on python3 being present on the system.
Thanks, feedback has been addressed in github.com/hallyn/lxc#aa1, except
for this bit, as it raises a question: should we keep a copy of the
processed rules in the source, but not guarantee that it will be
updated whenever container-rules.base is? Something like:
+if HAVE_PYTHON3
apparmor: container-rules.base
./lxc-generate-aa-rules.py container-rules.base >
container-rules
+else /* HAVE_PYTHON3 */
+apparmor: container-rules.base
+ cp container-rules.pp > container-rules
+endif /* HAVE_PYTHON3 */
?
-serge
More information about the lxc-devel
mailing list