[apparmor] cross-distribution profile repo

[intrigeri]

Hi,

Christian Boltz wrote (28 Jul 2014 20:14:04 GMT) :
> Am Montag, 28. Juli 2014 schrieb Jamie Strandboge:
>> As for what Ubuntu is currently doing with apparmor-profiles, we
>> actively took the decision to have placeholders if we ship them in
>> our distro since we don't want to have to maintain them in two
>> places. I think what you are suggesting would suffer from the same
>> issue, unless I am missing something? How do people see avoiding this
>> with the new way?

> I know the placeholders make sense for Ubuntu (to avoid duplication), 
> but they make it hard for other distributions to pick up the profiles.

Agreed.

> I'd propose to automatically "collect" the profiles from all packages 
> and store them in a subdirectory of apparmor-profiles/$distro/$release. 
> Something like "maintained-in-package/" (or "maintained-in-
> package/$package/").

Agreed. As a bonus, this would make it easier for Debian AppArmor
people to address situations like when a Debian package suddenly
starts shipping an AppArmor profile coming from upstream (lxc,
lightdm), that relies on out-of-tree kernel features. If we had
a central place where we could monitor this, then we would be in
a better position to promptly fix things up. Same when Ubuntu updates
a profile, and we have to pull it into apparmor-profiles-extra or into
the corresponding individual package in Debian.

> Collecting the profiles should be fully automated, so that we just need 
> a cronjob that pulls all packages containing profiles regularly, 
> extracts the profiles and pushes them to the apparmor-profiles repo.

Yes, that's what I've had in mind for a while, without having time to
write it down unfortunately. Here we go.

Identifying packages that ship profiles should be easy, e.g. on Debian
and derivatives, one should look for packages that "Suggests:
apparmor". This would be the first iteration.

Once we have this list for major distros, retrieving the profiles
themselves is pretty easy when they can be found in expected places.
E.g. I've been using this script to pull profiles from individual
Ubuntu packages:

http://anonscm.debian.org/gitweb/?p=collab-maint/apparmor-profiles-extra.git;a=blob;f=debian/scripts/pull-profile-from-ubuntu

Dealing with the easy cases in an automated way would be the
second iteration.

Now, assuming this covers the easy/general case, what to do with the
remaining exceptions? I think we could work towards unifying how where
we put profiles in source packages, so that more packages fall into
the easy/general case. But there'll always be situations that don't
fit into the general scheme (e.g. profile shipped in the upstream
tarball, and upstream doesn't want to rename/move it), so we'll also
probably need some place to put information about the remaining
exceptions, e.g. package name -> profile(s) location in the source
package or VCS, with optional per-{distro,distro release,package
version} overrides or similar to handle differences. This would be the
third iteration.

Maintaining profiles in two places should not be a problem for distros
(particularly, Ubuntu), if the collecting process is automated, right?

Cheers,
-- 
intrigeri