[pkg-apparmor] Bug#872266: apparmor-profiles-extra: Disable profiles before uninstalling them

[intrigeri]

Control: reassign -1 dh-apparmor
Control: found -1 2.11.0-10
Control: found -1 2.11.0-3
Control: retitle -1 dh_apparmor: unload profiles when purging them
Control: affects -1 apparmor-profiles-extra
Control: affects -1 apparmor-profiles

Hi!

Clément Hermann:
> apparmor profiles should be removed with `apparmor_parser -R
> <profile>` before uninstallation (prerm).

Agreed, good catch. I'm not sure if we want to do that only when
purging, or on "normal" removal as well. What do you think?

Ubuntu/OpenSUSE people, what do you think about 1. the general idea of
unloading profiles when de-installing the package that ships them;
2. unload on removal vs. on purge?

> Otherwise, since there is no way to disable a profile if the file is
> removed, and the removed profiles will be enforced until next boot.

FYI this is not correct *technically*:

1. See aa-remove-unknown(8)

2. For a more fine-grained approach, you can unload a profile even
   after the file was removed using the securityfs e.g.:

     echo -n klogd | sudo tee /sys/kernel/security/apparmor/.remove

   … successfully unloads the klogd profile on my system.
   I could not find where this is documented though :/

Granted, none of these is obvious, and from a user-centric perspective
"there is no way" is a valid assertion :)

> (note that this is probably the case for apparmor-profiles package too).

Indeed, this bug affects *any* package that ships policy for binaries
shipped in another package. This should probably be fixed in
dh-apparmor so the improvement propagates automatically to any
such package. Reassigning accordingly.

Cheers,
-- 
intrigeri