[pkg-apparmor] Bug#843461: apparmor: Support usrmerge
intrigeri
intrigeri at debian.org
Sat Dec 3 10:09:19 UTC 2016
Hi,
Christian Boltz:
>> Besides, they significantly increase policy compilation time.
> I never benchmarked that - do you have some numbers?
I can't easily find them (we were discussing this privately with
jjohansen a few years ago).
>> So the only option I can think of is going through all profiles we
>> ship, and making sure that every instance of /bin becomes /{usr/,}bin.
> That's exactly what I did - for example, the /bin/ping profile became
> /{usr/,}bin/ping. These changes are all in the upstream bzr since a long
> time.
Thanks!
> To keep the profile names readable, I'd recommend to use something like
> profile ping /{usr/,}bin/ping
> (and yes, exactly for the ping example, I didn't do that ;-)
Good idea!
>> This seems doable since we ship relatively few profiles, spread over
>> a relatively small number of packages, and they contain few /bin/*
>> permissions. A quick look points to a sid system gives me these
>> packages needing such changes: evince, apparmor-profiles-extra,
>> libvirt-daemon-system, cups-daemon, apparmor-profiles, apparmor,
>> telepathy-mission-control-5 (non-exhaustive list). Thankfully, this
>> will benefit all other distros as well, and could even been done
>> collaboratively if anyone else than Debian is interested :)
I've started with the policy included in the upstream AppArmor main
bzr repo:
https://code.launchpad.net/~intrigeri/apparmor/usrmerge/+merge/312409
I'll now go on with:
1. the AppArmor profiles Git repo
2. upstream software repos (at least libvirt)
3. other profiles shipped in Debian (that basically all come from
Ubuntu)
Help is welcome! Just grab me on IRC before you start, to avoid
duplicating work :)
Cheers,
--
intrigeri
More information about the pkg-apparmor-team
mailing list