[pkg-apparmor] Bug#871441: apparmor: Including tunables/sys to tunables/global?

[Vincent Blut]

Hey,

On Mon, Oct 30, 2017 at 10:41:56AM +0100, intrigeri wrote:
>Control: forwarded -1 https://bugs.launchpad.net/apparmor/+bug/1728551
>
>Hi,
>
>John Johansen:
>> On 09/20/2017 07:32 AM, intrigeri wrote:
>>> I see that tunables/sys was introduced in 2012 by John (Cc'ed) as part
>>> of a commit that adds "abstractions to support the apparmor api".
>>> On my system, nothing uses these abstractions nor the @{sys} tunable.
>>> So I admit I have no idea what problem @{sys} is meant to solve.
>>> If it _is_ useful then it should be used everywhere instead of /sys/,
>>> which requires quite some work for no obvious (to me) benefit.
>>>
>>> John, what do you think?
>
>> yeah, I think it would be worth starting to do the conversion of
>> /sys/ to @{sys} as has been done with /proc/ to @{proc}
>
>> with that said I haven't ever seen sys mounted somewhere different
>> than /sys/ where I have seen that for proc.
>
>> The big win of course is when fstype conditionals land at which
>> point @{sys} could be further restricted to be /sys/ with and
>> fs type of sysfs or even allowing disconnected access to sysfs.
>
>> As for why this was introduced as part of the api abstraction
>> profile management is done through sys and you probably haven't
>> seen it because its not currently common to confine services
>> doing profile management.
>
>> I expect that will change more in the future as we open up policy
>> namespaces more, which will safely allow users and applications
>> to load their own policy.
>
>Thanks for the explanation. I've filed an upstream bug about this.

Thanks a lot for handling this!

>Cheers,
>-- 
>intrigeri

Have a good day,
Vincent
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20171030/447ba807/attachment.sig>