| === chris_ is now known as ChrisADR | ||
| ahasenack | I'm wondering about best practices | 12:47 |
|---|---|---|
| ahasenack | I'm confining a little python service, one-shot service | 12:47 |
| ahasenack | runs, and exits | 12:47 |
| ahasenack | it can call, among other things, /usr/bin/cloud-id | 12:47 |
| ahasenack | so I'm creating a child/subprofile for it | 12:47 |
| ahasenack | cloud-id, however, calls many other things, like systemd-detect-virt | 12:48 |
| ahasenack | and I'm creating another subprofile for systemd-detect-virt | 12:48 |
| ahasenack | these are all nested now | 12:48 |
| ahasenack | python-service Cx -> cloud-id Cx -> systemd-detect-virt | 12:48 |
| ahasenack | is that ok? | 12:48 |
| ahasenack | I guess one point is if I want that subprofile to be generally available outside of my python-service execution | 12:49 |
| ahasenack | I'm reminded that aa-logprof can't do nested profile log analysis | 12:49 |
| ahasenack | the tree looks like this for now: https://pastebin.ubuntu.com/p/98hftZCHBd/ | 12:51 |
| ahasenack | crazy, or "well done!" | 12:52 |
| ahasenack | ? | 12:52 |
| ahasenack | (ignore the flags=complain, still troubleshooting things) | 12:52 |
| ahasenack | I'm thinking child profile is better, because I'm tailoring this profile exactly to the execution of the python service, so the profile for, say, systemctl, is not a generic profile for all possible use cases of systemctl | 12:53 |
| ahasenack | and so on | 12:53 |
| ahasenack | beware, https://pastebin.ubuntu.com/p/98hftZCHBd/ crashes the kernel | 14:02 |
| ahasenack | https://gitlab.com/apparmor/apparmor/-/issues/346 | 14:02 |
| -ubottu:#ubuntu-security- Issue 346 in apparmor/apparmor "kernel null pointer dereference loading an invalid AppArmor profile, regression since 6.1" [Opened] | 14:02 | |
| ahasenack | just found out the hard way :) | 14:02 |
| sbeattie | ahasenack: oh lovely. | 16:23 |
| === hank_ is now known as hank | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!