[apparmor] Bug#735470: Fwd: Bug#735470: Could be implemented centrally with a dpkg trigger instead of requiring every package shipping an apparmor file to use dh_apparmor

Jamie Strandboge jamie at canonical.com
Fri Jan 17 16:07:02 UTC 2014

On 01/16/2014 06:23 PM, Seth Arnold wrote:


> One of my work-items for 14.04 LTS is to rework the AppArmor policy
> loading.



> If dh_apparmor doesn't currently use --write-cache we should make it do
> so, to allow the compilation to be saved for later. Same with the click
> packaging hooks.
dh_apparmor does: apparmor_parser -r -T -W "$APP_PROFILE". click-apparmor uses
'--write-cache' by default (see apparmor/click.py:load_profile()).

> Upstart currently has some AppArmor policy knowledge built-in. We should
> also make sure it Does The Right Thing, ideally that'd be mostly up to
> the parser to get correct.

Marc implemented this-- you might talk to him about it.

> I'm sure there's more I've over-looked, I've not looked at this for a
> while, so please feel free to speak up if I've overlooked important
> considerations.
click-apparmor also provides the click-apparmor.conf upstart job to make sure
'aa-clickhook -f' gets run. This little nugget is actually the straw that broke
the camel's back on me wanting us to revamp policy load. :)

Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140117/13f8ec54/attachment.pgp>

More information about the AppArmor mailing list