[apparmor] cross-distribution profile repo

Christian Boltz apparmor at cboltz.de
Mon Jul 28 19:16:25 UTC 2014 

Hello,

Am Montag, 28. Juli 2014 schrieb Jamie Strandboge:
> On 07/27/2014 12:47 PM, Christian Boltz wrote:
> > I discussed a bit with intrigeri about a profile repo for
> > cross-distribution usage and profile sharing. Here's the log -
> > feedback welcome ;-)

> > [19:08:47] <cboltz> just as a quick idea:
> > http://paste.opensuse.org/96760488
> > 
> > + apparmor-profiles
> >   |-- debian
> >   |   |-- Wheezy
> >   |   '-- Jessie
> >   |-- openSUSE
> >   |   |-- 12.3
> >   |   '-- 13.1
> >   '-- Ubuntu
> >       |-- Trusty_Tahr
> >       '-- Utopic_Unicorn
> 
> This is the intent for apparmor-profiles, but so far only Ubuntu has
> put profiles there. I think it would be great to have other distro
> profiles in there. You've probably seen this, but in case you
> haven't:
> 
> http://wiki.apparmor.net/index.php/Profiles

Yes, I know this page and the apparmor-profiles repo.

> Now, the way Ubuntu handles profiles is that we ship production
> distro-profiles in the packages themselves and the apparmor-profiles
> repository is a place for in progress profiles or profiles that for
> some reason don't fit with the distro. We ship the profiles in the
> packages themselves so that package maintainers (ie, the people who
> know the software being confined best) are able to update the
> profiles and also to avoid a central profiles package that is gated
> on a handful of developers (or fewer). As such, the apparmor-profiles
> bzr repo doesn't have the profiles that Ubuntu actually ships (but we
> do leave the profile file in place with a note on where to find the
> official profile (see ubuntu/14.10/usr.bin.evince as an example).

I think we had this discussion in the past already ;-)

Shipping profiles in the respective package is nice if it works (and the 
package maintainers take care for the profile), and horrible if the 
maintainers don't care.

For openSUSE, bugreports about AppArmor profiles tend to be assigned to 
me first (not a big surprise), and there are also a few packagers who 
include profiles in their package and care for the profiles.

However, that's not the point of the cross-distribution repo ;-)


The point is to
a) have a place where _all profiles_ of _all distributions_ are 
   available (no, I do not want the "this profile is maintained in 
   $package" placeholders - instead, I'd like to have them automatically 
   pulled from the packages regularly so that I don't have to hunt 
   through the packages of 5 distributions - maybe do this in a 
   subdirectory "maintained-in-package" (or "maintained-in-
   package/$package") to make clear where they come from)
b) merge the profiles "upwards", for example from "openSUSE 13.1" to 
   "openSUSE" (which ideally means "all supported releases" or at least 
   "the next release") and finally to the global level for all 
   distributions.

The big goal is b), a) is just a way to make it easier ;-)


I'm quite sure it's possible to create cross-distribution profiles 
(hint: we already do that with the profiles we ship in the AppArmor 
tarball ;-)

The permissions and paths required for accessing binaries, libraries 
etc. are (nearly) the same everywhere, so that can easily be merged, 
even if we need some /{usr/,}bin/foo magic in some cases.

Paths for data directories might differ, but it's easy to separate them 
out to tunables/ so that the main profile can be shared. 
That means a 99% win, with 1% distro-specific tunables/ remaining.


Abstractions should be the same everywhere IMHO, so we should enforce 
that changed and new abstractions are always pushed to the apparmor 
repo.
This also means to disallow abstractions in the apparmor-profiles repo.


And finally - why should we do this?

Easy answer: because programmers and packagers are lazy - it's easier to 
copy the cross-distro profile into your package (and maybe patch the 
tunables/ part) than maintaining a profile that is specific for your 
distro ;-)

As a side effect ;-) we get profiles for more applications that 
(hopefully) work everywhere.

Yes, I know merging profiles causes some work, but on the long term I 
hope it makes it easier for everybody.


Regards,

Christian Boltz
-- 
> You say our final product doesn't have bugs worth tracking?
No. Your final products are in general known for their bugginess.
This could be a marketing decision to assure your jobs. ;-))
[> Stephan Kulow and Eberhard Mönkeberg in opensuse-factory]

More information about the AppArmor mailing list