[pkg-apparmor] Bug#965360: apparmor-profiles: Please meke seperate packages for each apparmor profile

Mikhail Morfikov mmorfikov at gmail.com
Sat Oct 24 15:56:28 BST 2020 

On 24/10/2020 14.42, intrigeri wrote:
> Control: tag -1 + moreinfo
> 
> Hi,
> 
> Mikhail Morfikov (2020-07-20):
>> currently when the apparmor-profiles package is installed, it installs several
>> apparmor profile files. In this way users can have all or none of the profiles
>> installed in their systems. Sometimes a user wants only a specific profile (or
>> profiles) installed and doesn't really want the other profiles to be installed
>> as well because:
>>  - he doesn't need the other profiles,
>>  - he has his own alternative profiles, which differ in rule sets,
>>  - the other profiles simply cause some issues with applications they confine.
> 
>> What do you think about another approach, which is to create separate packages
>> containing individual apparmor profiles? For instance, there's the
>> usr.sbin.dnsmasq file which is related to the dnsmasq package. In this case
>> there could be a package named dnsmasq-apparmor-profile which would include the
>> usr.sbin.dnsmasq file. If a user wanted to install dnsmasq and also wanted it
>> to be confined by the default apparmor profile provided by Debian, he could
>> also install dnsmasq-apparmor-profile, which wouldn't affect any other app
>> functionality.
> 
> The profiles shipped by the apparmor-profiles package are installed in
> complain mode. Then the user may choose to enforce the profiles they
> need. To me, it seems to already provide the kind of flexibility
> you're wishing for, with a much lower overhead on the package
> maintenance side. What did I miss?
> 
> Apart of this, the way the Debian archive works, having many tiny
> packages is problematic, so I don't think your proposal would be
> acceptable by the project. I'm not closing this bug report just yet as
> I'd like to first better understand what the current setup is lacking
> for you.
> 
> Cheers!
> 

There are three ways of installing apparmor profiles in debian:
- an app's package contains some apparmor profile
- some packages contain lots of apparmor profiles
- there are a few packages which contain an app's apparmor profile itself, for 
  instance fwknop-apparmor-profile

So it's a mess.

It would be better to have just one way of installing official debian apparmor 
profiles for apps, i.e. the 3rd option above.  Of course a user doesn't 
have to install the big package with all the profiles, but when I see bunch of 
apparmor profiles that I don't really need, I simply skip the package or 
extract the needed profile and forget about the package. So basically having 
multiple profiles in one package makes people less likely to test any of 
the profiles included in it and hence less likely to report any issues. It would 
be nice to have profiles in individual packages, so users could decide what 
they want to install. 

What if I had my own profile that would match to a specific one that is provided 
by apparmor-profiles? What would I have to do in order to install/upgrade the 
rest of the profiles from the package and leave my profile intact? It's very 
inconvenient and problematic for the end user to handle such packages.

BTW: Why having many small packages is a problem for debian archive? 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x32D9CB634796CCA1.asc
Type: application/pgp-keys
Size: 1356 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20201024/d7283273/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20201024/d7283273/attachment-0001.sig>

More information about the pkg-apparmor-team mailing list