[apparmor] [PATCH] local site-specific changes
Jamie Strandboge
jamie at canonical.com
Thu Aug 5 23:24:35 BST 2010
On Thu, 2010-08-05 at 21:40 +0000, Seth Arnold wrote:
> What I'm tired of doing is removing all those Ux rules from the
> packaged firefox profile on every upgrade OR reading the diff to
> figure out what new wonky java thing I should put back in.
>
You might be interested in knowing that firefox (and the upcoming
chromium profile) in Ubuntu will make this much easier. Basically, we'll
ship a stripped down profile and you add separate includes for the
plugins, helpers, etc you want. This will be controlled via debconf and
will be preseedable.
> This #include in profiles won't let me undo "big profile design"
> decisions.
Actually, you can use 'deny' or 'audit deny' rules to undo things,
because deny rules are evaluated after allow. Not perfect, but doable.
> And, if the tools are modifying the main profile, but not the
> site-local piece, it'll just be noise.
This was discussed in the meeting and is planned.
> So, take this as a suggestion that bandaids might not be the best
> answer for maintaining local modifications while still allowing distro
> venders to push updates. Significantly better tools (git) are now
> ubiquitous, and I wish the whole profile repo mess had happened after
> git had matured further -- it'd definitely be a better tool than my
> hand-rolled stuff.
Yes, this is the first step towards proper merging/etc of profiles,
though the other pieces will likely be awhile (patches welcome :).
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/apparmor/attachments/20100805/ccba8c68/attachment.pgp
More information about the AppArmor
mailing list