[pkg-apparmor] Bug#906202: dh-apparmor should check syntax of AppArmor policy

intrigeri intrigeri at debian.org
Mon Jan 28 09:03:00 GMT 2019


Hi Bernhard, AppArmor folks and bystanders,

intrigeri:
> All this is doable but requires quite more work (and risks) than
> I thought initially.

> I'm starting to think that it would be vastly easier to do that via
> autopkgtests: […]

It's unfortunately too late to get all this done in time for Buster,
so I've implemented a stop-gap measure in src:apparmor: the
compile-policy autopkgtest now runs the parser on a large subset of
the AppArmor profiles shipped by various Debian packages (including
bind9 :) This required making the test depend on those packages, which
means this test will be triggered on ci.debian.net every time one of
these packages is uploaded. That's of course not as great as
build-time validation, but at least it will make it obvious to package
maintainers when they upload an AppArmor profile whose syntax
is incorrect.

Implementation details for the curious:

  https://salsa.debian.org/apparmor-team/apparmor/blob/debian/master/debian/tests/control
  https://salsa.debian.org/apparmor-team/apparmor/blob/debian/master/debian/tests/compile-policy

Cheers,
-- 
intrigeri



More information about the pkg-apparmor-team mailing list