On Thu, Nov 28, 2024 at 10:46:35AM +0000, Richard W.M. Jones wrote: > On Wed, Nov 27, 2024 at 10:39:18PM +0100, Hilko Bengen wrote: > > * Stefano Brivio: > > > > > Control: reassign 1086844 guestfs-tools > > > > > > So, I went ahead and submitted a proposal for a very loose initial > > > AppArmor profile for guestfs-tools: > > > > > > https://salsa.debian.org/libvirt-team/guestfs-tools/-/merge_requests/1 > > > > > > I checked functionality of several tools, with and without passt, as > > > root and as regular user, etc. Outside of the passt subprofile, rules > > > should be loose enough as to be quite unlikely to introduce any issue. > > > > Stefano, I have added your patch to the package and uploaded a new > > version. Thanks. > > > > Rich, do you think the AppArmor policy should be part of the upstream > > source distribution? > > I don't really have an opinion on it. For SELinux policies, they have > traditionally been shipped monolithically downstream. But in a > relatively recent change some are now shipped upstream, eg the one for > passt is here: > > https://passt.top/passt/tree/contrib/selinux > > I think my only concern is how portable AppArmor policies are between > distros that use them. (I think for SELinux, they're not very > portable between eg. Fedora & SUSE).
In practice the libvirt AppArmor policy only cares about Debian/Ubuntu, and once we ship SELinux it will only care about Fedora/RHEL. I figure if other distros need changes, at least by shipping something we give them a guide for what we consider a sane "baseline" policy that they can patch on top of. Overall I think it is right for upstreams to ship both apparmor and selinux policies themselves. The idea of a single centralized policy package is not scalable, and is bad at adapting in a timely manner to changes coming from new app releases. It is especially bad at dropping obsolete rules since the centralized policy may be used with arbitrarily old releases. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
