Le jeudi 17 janvier 2019 à 11:41:49+0100, Wolfgang Bumiller a écrit : > > > On January 13, 2019 at 11:40 AM intrigeri <intrig...@debian.org> wrote: > > > > > > Hi Christian, > > > > Christian Brauner: > > > Did you backport the new config keys as well? > > > If so we can't carry that version upstream. > > > Since this would be a feature release. > > > If you only backported the internal profile changes than we can > > > carry it upstream and you should send your patch. > > > > I've backported e6ec0a9, e7311a84 and 1800f92. This indeed includes > > the copy of lxd's apparmor profile generation and thus the new config > > keys. I *think* I've initially tried backporting only the policy > > changes but that was not sufficient. But I might have skipped this > > step, I can't recall. > > The thing is, systemd may get more possible mount flag combinations > in the future anyway, so the policy changes won't be enough for long. > (There already seem to be some services which want 'strictatime' which > effectively means re-doubling those rules with 'strictatime'. > Considering there are a bunch more flags which theoretically could be used > and which would theoretically be acceptable from the (think: noatime, > nodiratime, relatime, sync/async, perhaps even mand, unbindable, verbose) > adding all possible combinations seems rather silly and I'd much rather > have apparmor provide a way to have optional flags. > There's currently no way to express a mount rule with "at least > `ro,remount,bind` *together* with any combination of > `nosuid,nodev,noexec,strictatime,sync,...` on a single line...
Hi, We have to decide what solution I will implement. I'm open to suggestions, although I'm considering the "disable apparmor profiles for lxc" solution for now. Best regards -- Pierre-Elliott Bécue GPG: 9AE0 4D98 6400 E3B6 7528 F493 0D44 2664 1949 74E2 It's far easier to fight for one's principles than to live up to them.
signature.asc
Description: PGP signature
