From: paper42 <paper42@users.noreply.github.com>
To: ml@inbox.vuxu.org
Subject: Re: apparmor: fix dnsmasq profile
Date: Sun, 11 Apr 2021 11:50:16 +0200 [thread overview]
Message-ID: <20210411095016.DiD7Eah_r_xEZbKDcsYe-GYgczAd48T_G9nguSb5Ce0@z> (raw)
In-Reply-To: <gh-mailinglist-notifications-41a7ca26-5023-4802-975b-f1789d68868e-void-packages-30142@inbox.vuxu.org>
[-- Attachment #1: Type: text/plain, Size: 1468 bytes --]
New comment by paper42 on void-packages repository
https://github.com/void-linux/void-packages/pull/30142#issuecomment-817280088
Comment:
I think this is a bigger problem that requires a better solution. apparmor's upstream often fixes their profiles[1] when new versions of software require new permissions, but void ships profiles from the last apparmor release which are often broken by the time a new release comes out. The simplest solution right now I can think of would involve creating a new package with apparmor profiles which would track upstream's master.
The best solution may be to create a new void-appamor git repository which would track new versions of software in void[2], because there are often some void specific permissions. This would also allow us to have profiles for more packages than what upstream provides, but this will require dedicating some time to it.
> We can add rules to /etc/apparmor.d/local/ if touching the main profile rule is not ideal
@FollieHiyuki I think `/etc/apparmor.d/local/` is meant for user customizations, so distributions shouldn't touch that if not neccessary (for example nvidia graphics cards may require different permissions than intel or amd).
[[1] many commits to apparmor profiles since the last release 4 months ago](https://gitlab.com/apparmor/apparmor/-/commits/master/profiles/apparmor.d)
[[2] Apparmor profile plumbing issue](https://github.com/void-linux/void-infrastructure/issues/82)
next prev parent reply other threads:[~2021-04-11 9:50 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-11 4:01 [PR PATCH] " noarchwastaken
2021-04-11 4:14 ` noarchwastaken
2021-04-11 4:17 ` noarchwastaken
2021-04-11 8:45 ` FollieHiyuki
2021-04-11 9:50 ` paper42 [this message]
2021-04-11 12:49 ` Duncaen
2021-04-11 17:33 ` [PR PATCH] [Updated] " noarchwastaken
2021-04-11 17:47 ` noarchwastaken
2021-04-11 17:50 ` Duncaen
2021-04-11 17:52 ` [PR PATCH] [Updated] " noarchwastaken
2021-04-16 0:41 ` [PR PATCH] [Merged]: " ericonr
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210411095016.DiD7Eah_r_xEZbKDcsYe-GYgczAd48T_G9nguSb5Ce0@z \
--to=paper42@users.noreply.github.com \
--cc=ml@inbox.vuxu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).