On Thu, 28 Nov 2024 10:46:35 +0000 "Richard W.M. Jones" <rjo...@redhat.com> wrote:
> On Wed, Nov 27, 2024 at 10:39:18PM +0100, Hilko Bengen wrote: > > > > Rich, do you think the AppArmor policy should be part of the upstream > > source distribution? > > I don't really have an opinion on it. For SELinux policies, they have > traditionally been shipped monolithically downstream. But in a > relatively recent change some are now shipped upstream, eg the one for > passt is here: > > https://passt.top/passt/tree/contrib/selinux The advantage, I think, is that you can keep tighter and smaller policies this way, because if you need a specific permission you can add it in a specific version of the related package (passt-selinux on Fedora), and also drop it when it's not needed anymore. But surely it's added effort. > I think my only concern is how portable AppArmor policies are between > distros that use them. (I think for SELinux, they're not very > portable between eg. Fedora & SUSE). By the way, if you're wondering, guestfs-tools didn't hit this issue on openSUSE simply because XDG_RUNTIME_DIR is not defined there, so libguestfs asks passt to write socket and PID files under /tmp, say: libguestfs: command: run: \ --socket /tmp/libguestfsyoFS2l/passt.sock libguestfs: command: run: \ --pid /tmp/libguestfsyoFS2l/passt1.pid and, given that there's no profile for guestfs-tools, passt runs under its own convenience stand-alone profile, which allows read-write access to /tmp/**. But this happens pretty much by chance, that's now how it was supposed to work. For example, when libvirt starts passt (still on openSUSE), the matching profile is applied, because libvirt ships its AppArmor policy upstream, and it works as intended on Debian and openSUSE (I didn't check Ubuntu). AppArmor policy changes for libvirt are also routinely reviewed by SUSE people: https://gitlab.com/libvirt/libvirt/-/commit/81493d8eb6ec5d3f063b0b5770df33ed656d6766 ...and except for some rare differences (such as the one I just mentioned regarding XDG_RUNTIME_DIR) things are quite compatible. The "guestfs-tools" profile I just wrote for Debian also works, unmodified, on a current openSUSE Tumbleweed. -- Stefano
