[pkg-apparmor] Bug#979500: dh-apparmor: please support local includes of abstractions like "abstraction/name"

Christian Boltz debian-bugs at cboltz.de
Thu Jan 7 17:33:16 GMT 2021 

Hello,

I'd argue that this is a problem that is already solved ;-)

Starting with AppArmor 3.0, all[1] upstream abstractions come with a 
rule like (example taken from abstractions/base):

    include if exists <abstractions/base.d>

so if you create that directory and place a file there, it will be 
included by the abstraction.

You don't need to provide those directories or dummy files via the 
package, and in fact I'd say that they should only be created when 
really needed to keep /etc/apparmor.d/ readable.

(Obviously, if a program needs to extend a specific abstraction, 
packaging an   abstractions/$abstraction.d/$package   file makes sense.)


For abstractions shipped by individual package (like libvirt), it would 
also make sense to add an   include if exists <abstractions/$whatever.d>   
rule to make it easy to add something to an abstraction.



Note: up to AppArmor 2.13.x, the aa-* tools (aa-logprof etc.) break in 
funny ways when hitting   include if exists   rules, and sadly that's 
not easy to fix (ETOOBIGPATCH). Therefore I'd recommend not to backport
include if exists   rules to profiles or abstractions in older distros.

The aa-* tools from AppArmor 3.x fully support   include if exists   
rules.


Regards,

Christian Boltz

[1] The only exception is abstractions/ubuntu-browsers because (for 
    historic reasons) an abstractions/ubuntu-browsers.d directory 
    already exists and is used in a different way.

-- 
seccheck runs here on a host that contains 3 daily backups of 10+ SAP
hosts, and the "Local Monthly Security" Mail size is 562 MB. This mail
size causes an unfriednly, suspicious grin on the face of my mail
admin... [Werner Flamme in opensuse-security]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20210107/4a1ee7d5/attachment-0003.sig>

More information about the pkg-apparmor-team mailing list