[lxc-devel] [PATCH RFC] apparmor: auto-generate the blacklist rules
Stéphane Graber
stgraber at ubuntu.com
Thu Mar 27 20:13:23 UTC 2014
On Thu, Mar 27, 2014 at 03:05:10PM -0500, Serge Hallyn wrote:
> Quoting Stéphane Graber (stgraber at ubuntu.com):
> > > +
> > > if ENABLE_APPARMOR
> > > -install-apparmor:
> > > +install-apparmor: apparmor
> > > + cat abstractions/container-base.in container-rules >> abstractions/container-base
> > > $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/
> > > $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
> > > $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
> >
> > This change should be conditional on python3 being present on the system.
>
> Thanks, feedback has been addressed in github.com/hallyn/lxc#aa1, except
> for this bit, as it raises a question: should we keep a copy of the
> processed rules in the source, but not guarantee that it will be
> updated whenever container-rules.base is? Something like:
>
> +if HAVE_PYTHON3
> apparmor: container-rules.base
> ./lxc-generate-aa-rules.py container-rules.base >
> container-rules
> +else /* HAVE_PYTHON3 */
> +apparmor: container-rules.base
> + cp container-rules.pp > container-rules
> +endif /* HAVE_PYTHON3 */
>
> ?
Yeah, I'm not sure... After I first reviewed your change, I was actually
wondering why you were doing it from the Makefile at all... the
resulting profile won't change based on the system it's built on, so
there's no good reason to run it at build time at all.
It may be simpler to just have the script in git and have us manually
re-generate the full profile whenever we do a change to the abstract
one.
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140327/b14d629a/attachment.pgp>
More information about the lxc-devel
mailing list