[pkg-apparmor] [Pkg-xfce-devel] Support for shipping AppArmor profiles in Debian (lightdm)

[Yves-Alexis Perez]

On jeu., 2015-03-12 at 15:15 +0100, intrigeri wrote:
> So, I've had a look at the lightdm 1.12.2-1 source package, and
> indeed, at least these parts of patches/02_fix-apparmor-profile.patch
> can now be dropped:
> 
> -  #include <abstractions/dbus-accessibility>
> 
> [...]
> 
> -  signal peer=@{profile_name},
> -  ptrace peer=@{profile_name},
> -  # needed when logging out of the guest session
> -  signal (receive) peer=unconfined,
> +  # this doesn't work with the current Debian apparmor
> +  #signal peer=@{profile_name},
> +  #ptrace peer=@{profile_name},
> +  ## needed when logging out of the guest session
> +  #signal (receive) peer=unconfined,

Ok, done, will be part of the next upload to experimental.
> 
> > I run lightdm and use apparmor and can test the profile shipped
> upstream
> > when i get home.
> 
> If you're running sid, then you would be the ideal candidate to ensure
> any future lightdm breakage caused by its AppArmor profile turns on
> red lights in a timely manner, even if Yves-Alexis doesn't test the
> packages he uploads with AppArmor enabled :)

I did a quick try on sid (so with lightdm 1.10) but it seems that only
the guest profile is actually confined, and I'm not using it, so it's
hard to tell anyway :)

In any case (and wrt. your mail on d-d-a), I'll try to install AppArmor
and see what happens, although on a desktop box it seems that really not
much is actually confined.


Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20150313/3046b9b1/attachment.sig>