> > So I think we really need a --remove-file option that can be used to > > carefully undo the changes applied by an earlier use of --add-file. > > > > Unfortunately this will likely involve a far more significant rework > > of the AppArmor driver, and we will certainly have to be careful > > about not introducing regressions in the process, but I'm really not > > a fan of half measures unless the trade-off is overwhelmingly stacked > > in their favor... > > As I said earlier, it would also involve the addition of at least one > security hook, impacting all security drivers. But yes, this change > would basically involve rewriting the entire AppArmor driver and a part > of virt-aa-helper. While I'm not against it, unfortunately I will not > be able to dedicate the amount of time needed for such a significant > change. I haven't looked in detail at how much work adding the ability to remove rules on device unplug would require, but surely "basically rewrite the entire driver" is an overexaggeration? Look, I understand that you probably just want to fix the issue that's affecting your customers then move on with your life, and generally speaking I don't really have a problem with partial fixes that merely get us closer to the solution instead of all the way there. However, the changes you're proposing here alter how the driver operates in a pretty fundamental and, critically, user-visible way. I'm not keen on switching to a new approach while already being aware of the fact that a full fix with require yet another pivot... -- Andrea Bolognani / Red Hat / Virtualization
