On Fri, 2017-09-22 at 14:52 +0200, Guido Günther wrote: > > + ptrace, > > ^^^^^^^ > > This single line is enough to make things work for me on 4.13. AFAIK > dbus mediation is not upstream yet and I think unix socket and signal > support is neither. Should we drop these for now (the syntax and > behaviour might change while things are being upsreamed)? Note that if you are upstreaming profile changes for ptrace, you may as well add them for signal and dbus because an apparmor parser that can understand 'ptrace' can understand the other two. The parser is designed to deal with kernels that don't have the full set of apparmor capabilities. The policy syntax for all of these rules should not change as part of upstreaming dbus and unix. 'unix' is probably ok to add because support for it was added to the parser in devel releases of AppArmor within 6 months of ptrace and signal. 'dbus', 'ptrace', 'signal' and 'unix' were officially introduced in 2.9[1]. By adding 'ptrace' you are saying AppArmor 2.9 is required, therefore, the other 3 are parseable. [1]http://wiki.apparmor.net/index.php/ReleaseNotes_2_9_0 -- Jamie Strandboge | http://www.canonical.com
Attachment:
signature.asc
Description: This is a digitally signed message part
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
