[apparmor] Fwd: Bug#735470: Could be implemented centrally with a dpkg trigger instead of requiring every package shipping an apparmor file to use dh_apparmor

Seth Arnold seth.arnold at canonical.com
Wed Jan 15 19:14:07 UTC 2014

On Wed, Jan 15, 2014 at 07:30:52PM +0100, intrigeri wrote:
> Didier Raboud suggested to use dpkg triggers for what dh_apparmor
> does, and is happy to give a hand. See the attached message.
> Thank you, Didier!
> What do the original dh_apparmor authors / Ubuntu folks think?
> Any reason Didier missed, that explains why this might not be that
> good an idea?

Thanks for forwarding this along intrigeri.

> From: Didier Raboud <odyx at debian.org>
> While updating src:cups to solve #735313, I went and took a look at
> dh-apparmor and I gained the convictions that this would be better
> implemented as part of a centralized dpkg-trigger (in apparmor probably)
> instead of being replicated across all packages shipping apparmor files
> (although this is significantly helped with dh-apparmor).
> apparmor could have an 'interest /etc/apparmor.d/' triggers file and its
> postinst would then do the machinery to create (or remove) the
> /etc/apparmor.d/local/* files accordingly.

This does sound nice, but the next part worries me..

> This could also have the side benefit of only running apparmor_parser
> once for all files installed at the same time.

When would this single apparmor_parser run happen? It needs to happen
before daemons are started or restarted in their postinst scripts,
otherwise the AppArmor policy won't be enforced.

> You might be interested in taking a look at cups's postinst to see how
> timestamps are kept to avoid useless re-processing, although an initial
> trigger processing code could just replicate dh-apparmor's postinst code
> for all apparmor profiles found.
> I'd be happy to help with this feature, just ask if you need help!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140115/91c6b428/attachment.pgp>

More information about the AppArmor mailing list