[00:39] <sdeziel> I'm looking at a problem involving LXD, Apparmor and mount rules and I'd appreciate if someone could help me :)
[00:39] <sdeziel> what I'm seeing suggest that mount options *ordering* would be relevant
[00:39] <sarnold> you should pick easier problems :)
[00:39] <sdeziel> https://github.com/lxc/lxd/blob/master/lxd/apparmor/instance_lxc.go#L177: mount options=(ro,remount,bind,noatime) /[^spd]*{,/**},
[00:39] <sdeziel> https://github.com/lxc/lxd/blob/master/lxd/apparmor/instance_lxc.go#L194: mount options=(ro,remount,noatime,bind) /[^spd]*{,/**},
[00:40] <sdeziel> sarnold: haha
[00:40] <sdeziel> are the above 2 rules redundant and LXD devs were overly zealous? Or is AppArmor really that picky?
[00:41] <sdeziel> or maybe a past version of AppArmor was had a bug forcing this kind of workaround?
[00:42] <sdeziel> sarnold: I don't think I pick problems, they seem to pick me </victim>
[00:46] <sarnold> sdeziel: I'm pretty sure those compile to the same thing..
[00:47] <sarnold> oh ffs .. I overlooked that these dump output to stderr, no stdout..
[00:48] <sdeziel> sarnold: if you are positive those compile to the same, I'll send a PR killing this madness ;)
[00:48] <sarnold> https://termbin.com/qpfjo
[00:49] <sdeziel> sarnold: thanks for checking and teaching me how to do, much appreciated (as always)
[00:50] <sarnold> sdeziel: it'd be reassuring if you fiddled with it a bit and saw similar things to convince you :) hehe
[00:54] <sdeziel> sarnold: I intend to compare 2 dumps of the lxd generated profiles, one as-is and the other with the order alternations removed. I'd do this once on 18.04 and another on 20.04. Does that sound like a good test? Or should I throw in something more modern in terms of AA version?
[00:55] <sarnold> sdeziel: that sounds like an excellent approach :)
[00:55] <sdeziel> awesome, thanks again!
[00:55] <sarnold> sdeziel: it might also be possible / better to compare the binary blobs from the cache directories, but I don't know for sure that they're going to be deterministic ;(
[00:55] <sarnold> I sure expect them to be..
[00:58] <sdeziel> yeah, good point
[03:36] <sdeziel> sarnold: let's hope I did it right: https://github.com/lxc/lxd/pull/9342
[17:07] <sarnold> sdeziel: woot! nice :) thanks