[pkg-apparmor] apparmor.service - get upstream and Debian (mostly?) in sync?

Tue Aug 29 23:08:33 BST 2023

Hello,

while fixing a bug around installing apparmor.service on Redhat/Fedora, 
I noticed that the upstream Makefile doesn't install apparmor.service on 
Debian systems.

I'm also aware that Debian ships its own apparmor.service, which is 
somewhat different from the upstream apparmor.service.

Here's a pseudo-patch:

--- upstream
+++ Debian
 [Unit]
 Description=Load AppArmor profiles
 DefaultDependencies=no
 Before=sysinit.target
+After=local-fs.target
 After=systemd-journald-audit.socket
-# profile cache: /var/cache/apparmor/ and /usr/share/apparmor/cache/
-After=var.mount var-cache.mount usr.mount usr-share.mount
+RequiresMountsFor=/var/cache/apparmor
+AssertPathIsReadWrite=/sys/kernel/security/apparmor/.load
 ConditionSecurity=apparmor
+Documentation=man:apparmor(7)
+Documentation=https://gitlab.com/apparmor/apparmor/wikis/home/
+
+# Don't start this unit on the Ubuntu Live CD
+ConditionPathExists=!/rofs/etc/apparmor.d
+
+# Don't start this unit on the Debian Live CD when using overlayfs
+ConditionPathExists=!/run/live/overlay/work

(no diff in the [Service] section)

 [Install]
-WantedBy=multi-user.target
+WantedBy=sysinit.target

Now the question is: How should this be handled in the future?
Basically i see a few possible options for

a) installation of apparmor.service
- keep current status (don't install upstream apparmor.service on 
  Debian)
- adjust the upstream Makefile to install upstream apparmor.service also 
  on Debian (well, ideally on all distributions)

b) content of apparmor.service
- reduce the diff between upstream and Debian apparmor.service by up-
  or downstreaming the diff (as an obvious example, upstreaming the
  Documentation= lines should be easy)
- drop the Debian-specific apparmor.service (but maybe patch it or ship a 
  drop-in if some Debian-specific options need to remain)
- (keeping the diff as is is also an option, but i wouldn't recommend 
  that)

So - what do you think?

IMHO it would make sense to always let the upstream Makefile install the 
upstream apparmor.service, but Debian could patch it or install a drop-
in to keep Debian-specific things.

And of course it would also make sense to get the upstream and Debian 
apparmor.service in sync as much as possible so that the diff or drop-in 
can be kept small.

Feedback welcome ;-)

Regards,

Christian Boltz
-- 
OH: "This software system uses the 'Onion' pattern.
There are endless layers, and peeling all of them back makes you cry."
[https://nitter.net/wpeterson/status/370552216840458240]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-apparmor-team/attachments/20230830/a065fdd9/attachment.sig>