[lxc-devel] [PATCH RFC] apparmor: auto-generate the blacklist rules
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Mar 27 20:19:16 UTC 2014
Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Thu, Mar 27, 2014 at 03:05:10PM -0500, Serge Hallyn wrote:
> > Quoting Stéphane Graber (stgraber at ubuntu.com):
> > > > +
> > > > if ENABLE_APPARMOR
> > > > -install-apparmor:
> > > > +install-apparmor: apparmor
> > > > + cat abstractions/container-base.in container-rules >> abstractions/container-base
> > > > $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/
> > > > $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/abstractions/lxc/
> > > > $(MKDIR_P) $(DESTDIR)$(sysconfdir)/apparmor.d/lxc/
> > >
> > > This change should be conditional on python3 being present on the system.
> >
> > Thanks, feedback has been addressed in github.com/hallyn/lxc#aa1, except
> > for this bit, as it raises a question: should we keep a copy of the
> > processed rules in the source, but not guarantee that it will be
> > updated whenever container-rules.base is? Something like:
> >
> > +if HAVE_PYTHON3
> > apparmor: container-rules.base
> > ./lxc-generate-aa-rules.py container-rules.base >
> > container-rules
> > +else /* HAVE_PYTHON3 */
> > +apparmor: container-rules.base
> > + cp container-rules.pp > container-rules
> > +endif /* HAVE_PYTHON3 */
> >
> > ?
>
> Yeah, I'm not sure... After I first reviewed your change, I was actually
> wondering why you were doing it from the Makefile at all... the
> resulting profile won't change based on the system it's built on, so
> there's no good reason to run it at build time at all.
>
> It may be simpler to just have the script in git and have us manually
> re-generate the full profile whenever we do a change to the abstract
> one.
It may be, then, yes - I only did it this way in recognition of
the fact that people are forgetful, so if something can be
updated automatically all the better.
More information about the lxc-devel
mailing list