[apparmor] Deprecating attachment based profile names for apparmor 3
Simon McVittie
smcv at collabora.com
Wed Aug 29 13:35:53 UTC 2018
On Tue, 28 Aug 2018 at 14:27:05 -0700, John Johansen wrote:
> To avoid the warning profiles can be rewritten to use a name separate from the
> attachment.
>
> profile ping /bin/ping {
> ...
> }
>
> This transform should work on any apparmor release in the last 10 years (2.3
> 2.13).
Is there a conventional name and filename for a profile with a name that
does not reflect its attachment?
For instance, in Debian's ioquake3 package I have:
# /etc/apparmor.d/usr.lib.ioquake3.ioquake3
/usr/lib/ioquake3/ioquake3 flags=(complain) {
...
}
Should I rename the file to /etc/apparmor.d/ioquake3 or something?
Is the name meant to reflect the distro package, or the executable name,
or something else?
Similarly, should the name of the new profile reflect the distro package,
or the executable name, or something else?
(Note that in Debian- and Ubuntu-land, removing or renaming conffiles
requires special maintainer action to preserve sysadmin changes, so we
should preferably minimize the number of times we rename profiles.)
Thanks,
smcv
More information about the AppArmor
mailing list