[pkg-apparmor] Bug#979500: dh-apparmor: please support local includes of abstractions like "abstraction/name"

Christian Ehrhardt christian.ehrhardt at canonical.com
Mon Feb 8 10:32:15 GMT 2021 

On Sat, Feb 6, 2021 at 8:08 AM intrigeri <intrigeri at debian.org> wrote:
>
> Hi,
>
> intrigeri (2021-01-08):
> > Christian Boltz (2021-01-07):
> >> I'd argue that this is a problem that is already solved ;-)
> >>
> >> Starting with AppArmor 3.0, all[1] upstream abstractions come with a
> >> rule like (example taken from abstractions/base):
> >>
> >>     include if exists <abstractions/base.d>
> >>
> >> so if you create that directory and place a file there, it will be
> >> included by the abstraction.
> >
> >> [...]
> >
> >> For abstractions shipped by individual package (like libvirt), it would
> >> also make sense to add an   include if exists <abstractions/$whatever.d>
> >> rule to make it easy to add something to an abstraction.
> >
> > I like what Christian Boltz is proposing (thanks!): as far as
> > I understand, it can happen in libvirt upstream, will benefit even
> > non-Debian distros, and does not require modifying dh-apparmor.
> >
> > Christian Ehrhardt, how does it sound? Any reason why the approach you
> > initially suggested on this bug report is better?
>
> Ping?

I beg your pardon I totally lost your and Christian B. replies on this
one in my inbox-cracks.
Thanks Intrigeri for the ping.

I'm already part of the crowd waiting for "Include if exists" to be
widely available.
And yes, that would solve my problem as well.

But IMHO a huge problem with "Include if exists" is, that on older
apparmor it totally breaks the rule parsing.
That makes it hard to fully jump onto the new feature yet:
- upstreams don't know how far back their SW will be built, this would
need to become at least a build time version/feature check against
apparmor
- distro-packaging often enough is used for backports, where again
we'd need code to handle old and new feature sets

But thinking more about it I think I still agree that we can close this bug.
That is because in the (hopefully few) places we need this we can
handle it (a bit ugly) in the maintscripts.
If we'd fully support it in dh-apparmor it might encourage people "too
much" to use that instead of the hopefully better future of
"include-if-exists".

> I'd like to add that one of the reasons for adding support for
> "include if exists" in AppArmor upstream was to cancel the need for
> distros to manage local override files via packaging machinery,
> which long term will allow us to simplify things like dh-apparmor,
> making them easier to maintain and to use :)
>


-- 
Christian Ehrhardt
Staff Engineer, Ubuntu Server
Canonical Ltd

More information about the pkg-apparmor-team mailing list