[apparmor] Sharing profiles maintenance once they're ready for production

Christian Boltz apparmor at cboltz.de
Mon Mar 10 21:06:11 UTC 2014


Am Freitag, 17. Januar 2014 schrieb intrigeri:
> 1. I've little experience maintaining profiles in a cross-distro way,
>    but I suspect that tunables should be enough to cope with most
>    distribution-specific deltas. What do you think?

I fully agree - having cross-distro profiles (if needed, with some 
differences in tunables) sounds like a good goal.

> 2. Was this discussed previously? Was the idea of a cross-distro VCS
>    repository for shared maintenance of profiles investigated yet?

It was discussed, but without a real solution.

As you already noticed, there's lp:apparmor-profiles, and the way it is 
handled makes it quite (and IMHO needlessly) hard to share the profile 
with other distributions.

For openSUSE, I package only the profiles in lp:apparmor, and submit my 
changes back to lp:apparmor. This means the profiles shipped in the 
AppArmor tarball will always work on openSUSE [1], but it also means I 
don't have lots of profiles to ship.

Some openSUSE packages also contain their own profile, but I don't have 
a good overview which packages contain profiles. Those profiles are 
usually maintained by the package maintainer.

This also opens up an important question: who does the profile 
- If the packager does it, then it's understandable that he wants to 
  have the profile in his package, which also makes it easy for him to 
  update it. (Ideally the profile would be in $package's upstream 
  tarball, but this rarely happens.)
- If $package maintainer doesn't care and bugreports about the profiles 
  end up at the AppArmor packager, then having the profiles in the 
  apparmor-profiles package (and in lp:apparmor) is the best solution.
  This also tends to be a fast and efficient way - if you avoid sending 
  20 profile patches per day, you'll usually get a review within some 
  days ;-)

That all said: Yes, I'd really like to have a better way to share 
profiles with other distributions. We "just" need to decide about the 
method ;-)

I'd be happy with adding profiles to lp:apparmor/profiles/apparmor.d/ -
any other opinions?


Christian Boltz

[1] at least for the programs I'm using regularly ;-)
Hier gibt es zB eine Adress-DB für einige Leute und allein schon die
gleichzeitige Verwendung dieser DB ist eher die Ausnahme.
Wahrscheinlich verdienen die Datenbanken hier die Bezeichnung gar nicht.
Wenn du willst, kannst du auch dazu gemeinsam genutzter strukturierter
Notizzettel sagen. [Al Bogner in suse-linux]

More information about the AppArmor mailing list