[apparmor] apparmor policy versioning
John Johansen
john.johansen at canonical.com
Wed Jul 10 21:18:22 UTC 2013
So it turns out we are going to need to support policy versioning (Christian
can gloat now). The question because how we support it
We are looking at 2 different options
1. we support a version tag in files, with the tag required to be on each
file including any include.
When the parser detects mixed versioning does it
- gracefully convert between v2 and v3 policy
- just fail
2. we move to a new versioned directory /etc/apparmor3.d/ or something of
the sort with everything in /etc/apparmor.d/ remaining in v2 policy
(format and semantics)
In this case what if a profile exists in both directories
- fail
- default to v3 on new kernels
- default to v2 on older kernels?
More information about the AppArmor
mailing list