| sdeziel | I'm looking at a problem involving LXD, Apparmor and mount rules and I'd appreciate if someone could help me :) | 00:39 |
|---|---|---|
| sdeziel | what I'm seeing suggest that mount options *ordering* would be relevant | 00:39 |
| sarnold | you should pick easier problems :) | 00:39 |
| sdeziel | https://github.com/lxc/lxd/blob/master/lxd/apparmor/instance_lxc.go#L177: mount options=(ro,remount,bind,noatime) /[^spd]*{,/**}, | 00:39 |
| sdeziel | https://github.com/lxc/lxd/blob/master/lxd/apparmor/instance_lxc.go#L194: mount options=(ro,remount,noatime,bind) /[^spd]*{,/**}, | 00:39 |
| sdeziel | sarnold: haha | 00:40 |
| sdeziel | are the above 2 rules redundant and LXD devs were overly zealous? Or is AppArmor really that picky? | 00:40 |
| sdeziel | or maybe a past version of AppArmor was had a bug forcing this kind of workaround? | 00:41 |
| sdeziel | sarnold: I don't think I pick problems, they seem to pick me </victim> | 00:42 |
| sarnold | sdeziel: I'm pretty sure those compile to the same thing.. | 00:46 |
| sarnold | oh ffs .. I overlooked that these dump output to stderr, no stdout.. | 00:47 |
| sdeziel | sarnold: if you are positive those compile to the same, I'll send a PR killing this madness ;) | 00:48 |
| sarnold | https://termbin.com/qpfjo | 00:48 |
| sdeziel | sarnold: thanks for checking and teaching me how to do, much appreciated (as always) | 00:49 |
| sarnold | sdeziel: it'd be reassuring if you fiddled with it a bit and saw similar things to convince you :) hehe | 00:50 |
| sdeziel | sarnold: I intend to compare 2 dumps of the lxd generated profiles, one as-is and the other with the order alternations removed. I'd do this once on 18.04 and another on 20.04. Does that sound like a good test? Or should I throw in something more modern in terms of AA version? | 00:54 |
| sarnold | sdeziel: that sounds like an excellent approach :) | 00:55 |
| sdeziel | awesome, thanks again! | 00:55 |
| sarnold | sdeziel: it might also be possible / better to compare the binary blobs from the cache directories, but I don't know for sure that they're going to be deterministic ;( | 00:55 |
| sarnold | I sure expect them to be.. | 00:55 |
| sdeziel | yeah, good point | 00:58 |
| sdeziel | sarnold: let's hope I did it right: https://github.com/lxc/lxd/pull/9342 | 03:36 |
| ubottu | Pull 9342 in lxc/lxd "Apparmor simplification" [Open] | 03:36 |
| sarnold | sdeziel: woot! nice :) thanks | 17:07 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!