[12:47] <ahasenack> I'm wondering about best practices
[12:47] <ahasenack> I'm confining a little python service, one-shot service
[12:47] <ahasenack> runs, and exits
[12:47] <ahasenack> it can call, among other things, /usr/bin/cloud-id
[12:47] <ahasenack> so I'm creating a child/subprofile for it
[12:48] <ahasenack> cloud-id, however, calls many other things, like systemd-detect-virt
[12:48] <ahasenack> and I'm creating another subprofile for systemd-detect-virt
[12:48] <ahasenack> these are all nested now
[12:48] <ahasenack> python-service Cx -> cloud-id Cx -> systemd-detect-virt
[12:48] <ahasenack> is that ok?
[12:49] <ahasenack> I guess one point is if I want that subprofile to be generally available outside of my python-service execution
[12:49] <ahasenack> I'm reminded that aa-logprof can't do nested profile log analysis
[12:51] <ahasenack> the tree looks like this for now: https://pastebin.ubuntu.com/p/98hftZCHBd/
[12:52] <ahasenack> crazy, or "well done!"
[12:52] <ahasenack> ?
[12:52] <ahasenack> (ignore the flags=complain, still troubleshooting things)
[12:53] <ahasenack> I'm thinking child profile is better, because I'm tailoring this profile exactly to the execution of the python service, so the profile for, say, systemctl, is not a generic profile for all possible use cases of systemctl
[12:53] <ahasenack> and so on
[14:02] <ahasenack> beware, https://pastebin.ubuntu.com/p/98hftZCHBd/ crashes the kernel
[14:02] <ahasenack> https://gitlab.com/apparmor/apparmor/-/issues/346
[14:02] -ubottu:#ubuntu-security- Issue 346 in apparmor/apparmor "kernel null pointer dereference loading an invalid AppArmor profile, regression since 6.1" [Opened]
[14:02] <ahasenack> just found out the hard way :)
[16:23] <sbeattie> ahasenack: oh lovely.