[apparmor] cross-distribution profile repo

[Jamie Strandboge]

On 07/28/2014 02:16 PM, Christian Boltz wrote:
> Hello,
> 
> Am Montag, 28. Juli 2014 schrieb Jamie Strandboge:
>> On 07/27/2014 12:47 PM, Christian Boltz wrote:
>>> I discussed a bit with intrigeri about a profile repo for
>>> cross-distribution usage and profile sharing. Here's the log -
>>> feedback welcome ;-)
> 
>>> [19:08:47] <cboltz> just as a quick idea:
>>> http://paste.opensuse.org/96760488
>>>
>>> + apparmor-profiles
>>>   |-- debian
>>>   |   |-- Wheezy
>>>   |   '-- Jessie
>>>   |-- openSUSE
>>>   |   |-- 12.3
>>>   |   '-- 13.1
>>>   '-- Ubuntu
>>>       |-- Trusty_Tahr
>>>       '-- Utopic_Unicorn
>>
>> This is the intent for apparmor-profiles, but so far only Ubuntu has
>> put profiles there. I think it would be great to have other distro
>> profiles in there. You've probably seen this, but in case you
>> haven't:
>>
>> http://wiki.apparmor.net/index.php/Profiles
> 
> Yes, I know this page and the apparmor-profiles repo.
> 
>> Now, the way Ubuntu handles profiles is that we ship production
>> distro-profiles in the packages themselves and the apparmor-profiles
>> repository is a place for in progress profiles or profiles that for
>> some reason don't fit with the distro. We ship the profiles in the
>> packages themselves so that package maintainers (ie, the people who
>> know the software being confined best) are able to update the
>> profiles and also to avoid a central profiles package that is gated
>> on a handful of developers (or fewer). As such, the apparmor-profiles
>> bzr repo doesn't have the profiles that Ubuntu actually ships (but we
>> do leave the profile file in place with a note on where to find the
>> official profile (see ubuntu/14.10/usr.bin.evince as an example).
> 
> I think we had this discussion in the past already ;-)
> 
> Shipping profiles in the respective package is nice if it works (and the 
> package maintainers take care for the profile), and horrible if the 
> maintainers don't care.
> 
> For openSUSE, bugreports about AppArmor profiles tend to be assigned to 
> me first (not a big surprise), and there are also a few packagers who 
> include profiles in their package and care for the profiles.
> 
> However, that's not the point of the cross-distribution repo ;-)
> 
> 
> The point is to
> a) have a place where _all profiles_ of _all distributions_ are 
>    available (no, I do not want the "this profile is maintained in 
>    $package" placeholders - instead, I'd like to have them automatically 
>    pulled from the packages regularly so that I don't have to hunt 
>    through the packages of 5 distributions - maybe do this in a 
>    subdirectory "maintained-in-package" (or "maintained-in-
>    package/$package") to make clear where they come from)
> b) merge the profiles "upwards", for example from "openSUSE 13.1" to 
>    "openSUSE" (which ideally means "all supported releases" or at least 
>    "the next release") and finally to the global level for all 
>    distributions.
> 
> The big goal is b), a) is just a way to make it easier ;-)
> 
> 
> I'm quite sure it's possible to create cross-distribution profiles 
> (hint: we already do that with the profiles we ship in the AppArmor 
> tarball ;-)
> 
> The permissions and paths required for accessing binaries, libraries 
> etc. are (nearly) the same everywhere, so that can easily be merged, 
> even if we need some /{usr/,}bin/foo magic in some cases.
> 
> Paths for data directories might differ, but it's easy to separate them 
> out to tunables/ so that the main profile can be shared. 
> That means a 99% win, with 1% distro-specific tunables/ remaining.
> 
> 
> Abstractions should be the same everywhere IMHO, so we should enforce 
> that changed and new abstractions are always pushed to the apparmor 
> repo.
> This also means to disallow abstractions in the apparmor-profiles repo.
> 
> 
> And finally - why should we do this?
> 
> Easy answer: because programmers and packagers are lazy - it's easier to 
> copy the cross-distro profile into your package (and maybe patch the 
> tunables/ part) than maintaining a profile that is specific for your 
> distro ;-)
> 
> As a side effect ;-) we get profiles for more applications that 
> (hopefully) work everywhere.
> 
> Yes, I know merging profiles causes some work, but on the long term I 
> hope it makes it easier for everybody.
> 

I think you misunderstood my email. I was not advocating the status quo, I was
merely stating what it is and what Ubuntu is currently doing. I am all for
getting more people profing and making the repo more usable for people and
welcome the discussion.

As for what Ubuntu is currently doing with apparmor-profiles, we actively took
the decision to have placeholders if we ship them in our distro since we don't
want to have to maintain them in two places. I think what you are suggesting
would suffer from the same issue, unless I am missing something? How do people
see avoiding this with the new way?

-- 
Jamie Strandboge                 http://www.ubuntu.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20140728/ada198ee/attachment-0001.pgp>