[apparmor] Ubuntu / Debian namespaces [Was: include IceWeasel in FireFox abstraction]

Thu Apr 26 13:29:06 UTC 2012

On Wed, 2012-04-25 at 22:38 +0200, intrigeri wrote:
> Hi,
> 
> Jamie Strandboge wrote (25 Apr 2012 12:21:26 GMT) :
> > So I guess I just wanted to bring up the point that Debian may want
> > to consider their own namespace.
> 
> Thank you for raising this point.
> 
> It seems to me very little of abstractions/ubuntu-* is
> Ubuntu-specific. Most of it could easily be shared with Debian.
> Duplicating all the Ubuntu abstractions into abstractions/debian-*
> would basically mean maintaining our own Debian fork of Ubuntu
> abstractions; I assume everybody here agrees this is not desirable.
> 
> Assuming we want to somehow share these abstractions and the
> maintenance thereof, the cheapest way may be to simply keep the
> current ubuntu-* names, consider it as Debian's upstream, and merge
> the tiny Debian -specific stuff into there as needed.

I tend to agree, which is why I acked the patch.

To put a little history here: AppArmor abstractions usually don't
contain any 'x' permissions. Since Ubuntu was trying to confine some
userspace apps like firefox and evince which are allowed to launch
helper applications, and we didn't want to confine those helper
applications too, we needed abstractions to add a considerable number of
'x' rules for these various helpers. This was something we were willing
to do in Ubuntu, but didn't want to bless in upstream AppArmor.
Considering the current state of environment filtering in AppArmor (and
that we now have that funky 'sanitized_helper' child profile in the
Ubuntu abstractions), I agree with this decision.

Because these Ubuntu abstractions might be useful to some people, we as
upstream AppArmor did want to ship them, but it was decided that
distributions could maintain their own namespace for these types of
abstractions, and then distributors could choose to install or not
install the different namespaces (eg, afaik, OpenSUSE is not shipping
the Ubuntu abstractions).

> If, at some later point, the Debian -specific bits start to be too
> large, invasive or incompatible, I'm happy to consider moving these
> into Debian-specific abstractions. Alternatively, we could move
> ubuntu-* to debian-* and have every such file include a derivative-$1
> file, where e.g. Ubuntu -specific bits would go, but well, this would
> look totally backwards to me wrt. the reality of who is upstream and
> who's not on this topic.

> What do you think?

I think the derivative- approach is overly complicated. I think being
pragmatic as you suggest is the way to go. We can continue to treat the
Ubuntu and Debian relationship as special (which it is :) and if Debian
needs something truly Debian-specific, a new debian- abstraction can be
used. TBH, I doubt this will happen.

> (Note that I intend to push into Debian AppArmor profiles taken from
> Ubuntu real soon now, starting with usr.bin.evince that, to name one,
> includes more than a dozen of Ubuntu abstractions, and works
> perfectly, as-is, on current Debian unstable.)

Awesome! Another one you might want to target early on is
telepathy-mission-control-5 since the only delta with Debian is the
AppArmor one (iirc).

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120426/ecf1d0b0/attachment.pgp>