[lxc-devel] [PATCH RFC] apparmor: auto-generate the blacklist rules

Serge Hallyn serge.hallyn at ubuntu.com
Thu Mar 27 20:19:16 UTC 2014


Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Thu, Mar 27, 2014 at 03:05:10PM -0500, Serge Hallyn wrote:
> > Quoting Stéphane Graber (stgraber at ubuntu.com):
> > > > +
> > > >  if ENABLE_APPARMOR
> > > > -install-apparmor:
> > > > +install-apparmor: apparmor
> > > > +	cat abstractions/container-base.in container-rules >> abstractions/container-base
> > > >  	$(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/
> > > >  	$(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
> > > >  	$(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
> > > 
> > > This change should be conditional on python3 being present on the system.
> > 
> > Thanks, feedback has been addressed in github.com/hallyn/lxc#aa1, except
> > for this bit, as it raises a question:  should we keep a copy of the
> > processed rules in the source, but not guarantee that it will be
> > updated whenever container-rules.base is?  Something like:
> > 
> > +if HAVE_PYTHON3
> >  apparmor: container-rules.base
> >  	./lxc-generate-aa-rules.py container-rules.base >
> >  container-rules
> > +else  /* HAVE_PYTHON3 */
> > +apparmor: container-rules.base
> > +       cp container-rules.pp > container-rules
> > +endif /* HAVE_PYTHON3 */
> > 
> > ?
> 
> Yeah, I'm not sure... After I first reviewed your change, I was actually
> wondering why you were doing it from the Makefile at all... the
> resulting profile won't change based on the system it's built on, so
> there's no good reason to run it at build time at all.
> 
> It may be simpler to just have the script in git and have us manually
> re-generate the full profile whenever we do a change to the abstract
> one.

It may be, then, yes - I only did it this way in recognition of
the fact that people are forgetful, so if something can be
updated automatically all the better.


More information about the lxc-devel mailing list