[pkg-apparmor] [Pkg-xfce-devel] Support for shipping AppArmor profiles in Debian (lightdm)
intrigeri
intrigeri at debian.org
Thu Mar 12 14:15:51 UTC 2015
Hi Yves-Alexis & Cameron,
first of all, thanks for the feedback. Replies inline below.
Cameron Norman wrote (02 Mar 2015 20:39:39 GMT) :
> On Mar 2, 2015 12:28 PM, "Yves-Alexis Perez" <corsac at debian.org> wrote:
>> Actually, we already had issues with the AppArmor profile in the past,
>> because it was too recent for the current AppArmor utilities. The
>> AppArmor profile is provided directly by upstream (which evolves in
>> Ubuntu circles), so it might not be perfect for Debian I'm not an
>> AppArmor user myself, so I can't really test, but am really interested
>> in any comment you might have.
> So recent versions of apparmor do not fail to parse rules it does not know
> about, as long as the syntax is right. This should ensure the profile
> currently and continues to work without issue.
Indeed, that's been the case since AppArmor 2.9 reached Debian :)
Sorry I didn't ping all maintainers yet to tell them they can revert
the changes we had them do earlier in the Jessie cycle. (I've done so
for cups a few days ago, but forgot about lightdm.)
So, I've had a look at the lightdm 1.12.2-1 source package, and
indeed, at least these parts of patches/02_fix-apparmor-profile.patch
can now be dropped:
- #include <abstractions/dbus-accessibility>
[...]
- signal peer=@{profile_name},
- ptrace peer=@{profile_name},
- # needed when logging out of the guest session
- signal (receive) peer=unconfined,
+ # this doesn't work with the current Debian apparmor
+ #signal peer=@{profile_name},
+ #ptrace peer=@{profile_name},
+ ## needed when logging out of the guest session
+ #signal (receive) peer=unconfined,
> I run lightdm and use apparmor and can test the profile shipped upstream
> when i get home.
If you're running sid, then you would be the ideal candidate to ensure
any future lightdm breakage caused by its AppArmor profile turns on
red lights in a timely manner, even if Yves-Alexis doesn't test the
packages he uploads with AppArmor enabled :)
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list