apparmor directory

Clint Byrum clint at ubuntu.com
Tue Nov 8 14:20:10 UTC 2011 

Excerpts from Kapil Thangavelu's message of Tue Nov 08 04:38:35 -0800 2011:
> Excerpts from Gustavo Niemeyer's message of Tue Nov 08 04:51:52 -0500 2011:
> > Just spotted an exchange in a bug regarding the apparmor directory,
> > and would like to raise Kapil's comment more generally.
> > 
> > Besides the "charm proof" command complaining about the lack of an
> > "apparmor" directory, the wiki page at
> > https://juju.ubuntu.com/AppArmor has the following comment:
> > 
> > """
> > If you do not need any profiles, because they are all contained in
> > packages, you can touch a file in the directory.
> > 
> > $ touch apparmor/__NONE
> > """
> > 
> > This feels sub-optimal, both because we never agreed to enforce
> > apparmor usage, and because the lack of a directory feels like a
> > cleaner way to convey an optional feature than such a file.
> 
> agreed, if its an optional, don't make the user have to think about it.
> 

This is a very calculated set of rules, not just something I stumbled
into.

I want users to consider the fact that they are not putting an apparmor
profile in, and I'd like to be able to gather statistics about AppArmor
usage in the charms. The __NONE file means the person who put it there
is taking responsibility for saying there's no apparmor needed or that
the charm wouldn't work with apparmor. An empty dir means that there
is an opportunity for us to add apparmor to this charm (or assert
__NONE). Missing dir means that it hasn't even been considered.

I had considered making the lack of a dir akin to the empty dir now,
and making an empty dir like __NONE, but this can happen accidentally.
By enforcing a more rigid structure, the user is pushed toward reading
the AppArmor policy.

> > 
> > Would there be a page somewhere with a list of other practices the
> > "charm proof" command is enforcing?
> > 
> 
> not afaik outside of, mostly the checks are referenced elsewhere by charms 
> should pass the tool itself rather than check enumeration, which itself is 
> fluid, as evidenced by the new apparmor dir requirement.
> 
> http://bazaar.launchpad.net/~charmers/charm-tools/trunk/view/head:/scripts/proof
> 

Indeed, the checks are purely inside charm proof itself, and are very
basic. This was the first one that needed more than a line of text
to explain.

More information about the Juju mailing list