[debian-mysql] Bug#736087: Bug#736087: Bug#736087: mysql-5.5: Please install AppArmor profile on Debian too

Kristian Nielsen knielsen at knielsen-hq.org
Tue Jan 21 11:18:10 UTC 2014 

intrigeri <intrigeri at debian.org> writes:

> Hi,
>
> Kristian Nielsen wrote (21 Jan 2014 09:18:05 GMT) :
>> In my experience, there are a lot of problems with installing an apparmor
>> profile by default for the MySQL server. This is from 4 years of experience
>> maintaining MariaDB .deb packages.
>
> Thank you for this very useful input. I want to contrast this with:
>
>   * Ubuntu has been enabling the MySQL profile by default since 8.04
>     LTS; perhaps we could ask them how much of a user support mess it
>     caused.
>
>   * Debian does not enable AppArmor by default. So, only people who
>     explicitly, and manually, enabled it themselves may be affected by
>     any problems caused by the MySQL AppArmor profile. My assumption
>     here is that these people are more knowledgeable about AppArmor,
>     and its potential adverse effects, than the averable Ubuntu +
>     MySQL user. In particular, I hope they would be able to 1.
>     guess that a particular problem might be caused by AppArmor; 2.
>     look at the system log to find out what exact action is blocked;
>     and 3. add stuff to /etc/apparmor.d/local/.
>
> What do you think?

I think those are valid arguments.

I think in the end, it comes down to whether one considers apparmor useful. I
can see the use for apparmor for running eg. proprietary desktop binaries like
adobe reader or something, to create a kind of sandbox. But for mysqld, I
don't see much use, only annoyances.

Others might have different opinions.

One thing that would be nice is if we could fix the problem that
mysql-test-run (the test suite) cannot be run when apparmor is enabled. Nor
can /usr/sbin/mysqld be run as a separate instance by a non-privileged user in
their own home directory (eg. for testing).

I am not very familiar with how apparmor works, but one option would seem to
be to introduce a wrapper /usr/sbin/mysqld_apparmor_wrapper that does nothing
but call execve() of /usr/sbin/mysqld. Then /etc/init.d/mysql could start the
wrapper, and the apparmor profile could be tied to the wrapper, and users
would be free to use /usr/sbin/mysqld for other purposes.

If supported by apparmor, another option might be to only have the
restrictions active when /usr/sbin/mysqld is running as the `mysqld' user.

Put another way, the problem is that the current apparmor profiles prevent a
number of perfectly valid ways to run /usr/sbin/mysqld. If that problem could
be solved, then maintaining apparmor profiles would become much more
attractive.

 - Kristian.

More information about the pkg-mysql-maint mailing list