[pkg-apparmor] Bug#830502: apparmor-profiles: Reconsider what profiles are shipped in /etc/apparmor.d/ and in which mode
Antoine Beaupré
anarcat at orangeseeds.org
Tue Jul 4 14:55:06 UTC 2017
On 2017-07-04 09:52:55, intrigeri wrote:
> Hi,
>
> intrigeri at debian.org:
>> The apparmor-profiles package ships a number of profiles in
>> /etc/apparmor.d/, "in complain mode so that users can test and choose
>> which are desired". This includes policy for dovecot, dnsmasq,
>> avahi-daemon, ping.
>
>> This is confusing to some of us, and to users in general. And IIRC
>> Felix had some concerns about shipping these profiles there as well.
>
>> During the team meeting we had at DebConf, several options were
>> suggested:
>
>> a) Move the profiles that are not good enough to be enforced to
>> a separate package
>
>> b) Move the profiles that are not good enough to be enforced to
>> /usr/share/doc (where we already ship a number of profiles)
>
>> Also, it might be that some of these profiles are actually good enough
>> to be enforced by default, instead of being moved elsewhere.
>
> I'm adding Antoine in the loop as he suggested on
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866790#19 that we do the opposite,
> i.e. to ship profiles from /usr/share/doc/apparmor-profiles/extras/ in
> /etc/apparmor.d/ in complain mode. It seems we have good reasons to
> move policy that's not quite ready for production use out of
> /etc/apparmor.d/ (this is what this bug was about originally), but we
> also have good reasons to do the exact opposite.
>
> Advantages of shipping not-quite-ready-yet profiles (in complain mode)
> in /etc/apparmor.d/:
>
> * users who want to use some of these profiles simply have to
> aa-enforce them, and they'll automatically get updated versions
> when they upgrade apparmor-profiles; FTR the current situation is
> that these users *copy* those profiles to /etc and then report bugs
> about their obsolete copy (e.g. #866790), which is confusing to
> users and adds extra maintenance workload on our team;
>
> * giving these profiles more exposure to testing might encourage some
> users to improve them upstream.
>
> Drawbacks of shipping not-quite-ready-yet profiles (in complain mode)
> in /etc/apparmor.d/:
>
> * it's hard to communicate to users the quality of these profiles,
> and where bugs/improvements shall be submitted; currently we have
> /usr/share/doc/apparmor-profiles/extras/README that states clearly
> that these profiles "are not as mature as the profiles in
> /etc/apparmor.d/", and that improvements shall be submitted
> directly upstream. If we were shipping these profiles in /etc, I'm
> worried we would get even more bug reports about them in the Debian
> BTS, which causes 1. extra workload on our team; 2. frustration for
> the user (being redirected to yet another BTS after reporting a bug
> discourages many people, while perhaps they would send their
> proposed changes directly upstream if instructed to do so in the
> first place)
My counter-argument here would be that I would *assume* a profile in
"complain" mode is not production ready, by definition.
The problem with people filing bugs directly in the BTS is a false
problem, in my opinion: you'll always get this, regardless of how you
set things up. Obfuscating the profiles in /usr/share hasn't helped you
with my bug report, and I consider myself a rather experienced user. I
even *knew* about that policy before and *read* that README file, all
the way back when I deployed those profiles, and I simply forgot about it.
A more productive way of pre-triaging bug reports is with reportbug
hooks, to make sure users are made aware, when reporting bugs, what they
should report upstream. For example, the file
"/usr/share/bug/$package/presubj" is shown to the user before asking for
the subject. You can even interactively prompt the user for stuff... See
the docs here for details:
/usr/share/doc/reportbug/README.developers.gz
Such a prompt would have certainly given me pause when reporting a bug
against apparmor-profiles-extra...
In other words, I think shipping profiles in /usr/share is the wrong
solution to this problem. Proper packaging of those profiles should
install them in /etc/apparmor.d, otherwise they do not bring a
significant enough advantage for me to use them over directly getting
them from upstream (other than the maintainers' verification and trust
path, naturally). Bug pre-triaging problems can be solved in other ways.
Thanks!
A.
--
Nothing in life is to be feared, it is only to be understood
Now is the time to understand more, so that we may fear less.
- Marie Curie
More information about the pkg-apparmor-team
mailing list