[apparmor] RFC: using variables to make profiles more flexible
John Johansen
john.johansen at canonical.com
Mon Dec 4 18:06:51 UTC 2017
On 12/03/2017 04:05 AM, intrigeri wrote:
> Hi,
>
> Vincas Dargis:
>> What about actual implementation, should we "push":
>
>> * `tunables/usr.bin.thunderbird` empty file (same as with local/usr.bin.thunderbird), or
>> * `tunables/usr.bin.thunderbird.d` directory for more flexibility, but without a file (user should create one himself)?
>
>> Or maybe these tunables should be placed deeper, like:
>
>> `tunables/<something>/usr.bin.thunderbird{,.d}`
>
> At first glance I would essentially apply the same path structure as
> what we do for top-level profiles:
>
> * `tunables/usr.bin.thunderbird`, shipped by the package, has the
> default settings
>
> * `local/tunables/usr.bin.thunderbird` can be used by the local admin
> to override/extend the default settings
>
except override is NOT supported. The assignment currently only extend.
yes = does behave the same as +=
More information about the AppArmor
mailing list