Hello, Am Samstag, 27. Juli 2019, 04:06:55 CEST schrieb Neal Gompa:
It was agreed long ago to do this for this reason and many others, but it just lost steam as time went on, so SUSE distributions have been in a half-completed state for years. Finishing it is *not* difficult.
I agree in general, but the devil is in the detail ;-) As you probably know, AppArmor checks permissions _after_ resolving symlinks, so you'll need to change rules for /bin/foo to /usr/bin/foo or better (to cover both paths) /{usr/,}bin/foo. I've already done that for the profiles I'm aware of (see boo#1132350), but I can't promise that I found all packages shipping AppArmor profiles. One thing that still needs a change is the docker AppArmor profile, which is - to make things more funny - hardcoded into template.go and (AFAIK) gets piped into apparmor_parser directly from there: https://github.com/docker/docker-ce/blob/master/components/engine/ contrib/apparmor/template.go All the /bin/, /sbin/ and /lib/ paths need to be adjusted for usrMerge. AFAIK podman also hides its profile in its source code, but I don't know in which file exactly. Regards, Christian Boltz -- if you need a helping hand, you will find one at the end of your arm. [Donald Tusk, https://twitter.com/eucopresident/status/996731038062862336] -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org