[pkg-apparmor] Bug#965360: apparmor-profiles: Please meke seperate packages for each apparmor profile

Mon Jul 20 10:59:53 BST 2020

Package: apparmor-profiles
Version: 2.13.4-3
Severity: wishlist

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Dear Maintainer,

currently when the apparmor-profiles package is installed, it installs several
apparmor profile files. In this way users can have all or none of the profiles
installed in their systems. Sometimes a user wants only a specific profile (or
profiles) installed and doesn't really want the other profiles to be installed
as well because:
 - he doesn't need the other profiles,
 - he has his own alternative profiles, which differ in rule sets,
 - the other profiles simply cause some issues with applications they confine.

What do you think about another approach, which is to create separate packages
containing individual apparmor profiles? For instance, there's the
usr.sbin.dnsmasq file which is related to the dnsmasq package. In this case
there could be a package named dnsmasq-apparmor-profile which would include the
usr.sbin.dnsmasq file. If a user wanted to install dnsmasq and also wanted it
to be confined by the default apparmor profile provided by Debian, he could
also install dnsmasq-apparmor-profile, which wouldn't affect any other app
functionality.

Also, there are many profiles under /usr/share/apparmor/extra-profiles/ which
aren't enabled, and probably no one uses them at all. If there was a package,
for instance, postfix-apparmor-profile containing all the usr.lib.postfix*
files installed under /etc/apparmor.d/ , I think more people would test the
profiles, which would contribute to better development of the profiles
themselves.

Probably not all of the files included currently in the apparmor-profiles
package can be separated in the way described above, but there are cases where
this can be done, and I think it should be done.

Tell me what do you think about this solution.