[pkg-apparmor] AppArmor BoF at Debconf - report

intrigeri intrigeri at debian.org
Sat Jul 30 14:43:28 UTC 2016 

Hi,

Christian Boltz:
> Am Donnerstag, 7. Juli 2016, 18:41:00 CEST schrieb u:

> I'm not sure about network rules, but IIRC the patch for them is not in 
> the upstream kernel yet (however openSUSE includes it since years, so it 
> should be safe to take it).

Indeed it's not been upstreamed yet, and I'm not aware of WIP in this
area; so personally I won't ask the maintainers of Linux in Debian to
include it. (I'll skip the standard rant about torvalds/linux.git
being a better place to share Linux source code than distro patches ;)

> May I add an item here?

> * push all profiles shipped in Debian into the upstream apparmor-profiles 
>   repo - that would make it much easier for other distibutions to 
>   steal ;-) them.
>   Ideally this would include the metadata (as discussed at DebConf15), 
>   but the most important thing is to have all profiles in the repo.

Yes, please :)

>> Testing:
>> * how do we test? do we have scripts?

> The upstream tarball comes with some tests (for parser, utils and 
> libapparmor) - you can run them when building the AppArmor package.

> There is also
> bzr+ssh://bazaar.launchpad.net/+branch/qa-regression-testing/
> which contains lots of runtime tests that are done for Ubuntu QA.
> (These tests add users etc., so you should run them in a clean VM.)
> [...]
> Upstream mentioned some interest in moving those tests into the AppArmor 
> tarball (so that they are available to other distibutions), so if 
> someone is bored... ;-)

Thanks! I wasn't aware of these tests.

>>  - some of those half working should move to
>> /usr/share/doc/apparmor/examples :intrigeri:

> Note that aa-genprof will pick up profiles from
>     /usr/share/apparmor/extra-profiles/
> so using a different path doesn't sound like the best idea.

> This path is configurable in logprof.conf inactive_profiledir, but having 
> the same on all distributions would be better IMHO.

Good to know, thanks! Debian/Ubuntu have been shipping these inactive
profiles in /usr/share/doc/apparmor/examples for a while, so we would
need to move them. I've just filed a bug report about it.

> You might want to steal something from openSUSE here:
> - the dovecot profiles (from the upstream tarball) are well-tested, users 
>   only need to adjust tunables/dovecot for their mail storage
>   location

Thanks for the pointer. We ship them in complain mode. IIRC last time
a Debian user tried them, they were not happy and we got a long bug
report, so these ones are part of what we are considering moving out
of the way (to /usr) until someone makes them work really well
on Debian.

Cheers,
-- 
intrigeri

More information about the pkg-apparmor-team mailing list