[pkg-apparmor] Bug#843461: apparmor: Support usrmerge

Christian Boltz debian-bugs at cboltz.de
Tue Nov 8 14:58:36 UTC 2016 

Hello,

Am Dienstag, 8. November 2016, 15:06:50 CET schrieb intrigeri:
> Christian: did OpenSUSE go through something like usrmerge? If you
> did, how did you handle it?

openSUSE moved lots of binaries, but not all from /{s,}bin/ to 
/usr/{s,}bin/

> Besides, they
> significantly increase policy compilation time.

I never benchmarked that - do you have some numbers?

> But I recommend against using alias rules by default, system-wide, in
> a distribution like Debian: they cause too much action at a distance
> and subtle breakage, which will make it hard for users to debug issues
> themselves, and for us to understand their bug reports.

Right. Shipping aliases _will_ confuse users and make things harder.

> So the only option I can think of is going through all profiles we
> ship, and making sure that every instance of /bin becomes /{usr/,}bin.

That's exactly what I did - for example, the /bin/ping profile became 
/{usr/,}bin/ping. These changes are all in the upstream bzr since a long 
time.

To keep the profile names readable, I'd recommend to use something like
    profile ping /{usr/,}bin/ping
(and yes, exactly for the ping example, I didn't do that ;-)

> This seems doable since we ship relatively few profiles, spread over
> a relatively small number of packages, and they contain few /bin/*
> permissions. A quick look points to a sid system gives me these
> packages needing such changes: evince, apparmor-profiles-extra,
> libvirt-daemon-system, cups-daemon, apparmor-profiles, apparmor,
> telepathy-mission-control-5 (non-exhaustive list). Thankfully, this
> will benefit all other distros as well, and could even been done
> collaboratively if anyone else than Debian is interested :)

That reminds me of the profile repo which would make sharing profiles
and cross-contributions much easier ;-)

I know everybody is always busy etc., so maybe we can start with a small 
step like a place where I can find all profiles Debian ships at one 
location?

For openSUSE, I have the apparmor-profiles-collector package at
http://download.opensuse.org/repositories/home:/cboltz/openSUSE_Factory/noarch/ [1]
You can unpack the RPM package with   rpm2cpio $file | cpio -dium
or browse it using   mc   ;-)

Currently, I simply copy the profiles and record from which package they
come. If you are interested in my (trivial) script doing this, have a 
look at
https://build.opensuse.org/package/show/home:cboltz/apparmor-profile-collector

I'm sure it would be trivial to get "Debian" and "openSUSE" directories 
in the apparmor-profiles git repo. Even without all the metadata etc.
we discussed, this would be much more useful than the current state.


Regards,

Christian Boltz

[1] it will probably have to move to a separate repo to avoid that it
    collects the profiles from the latest apparmor-profiles package in 
    this repo instead of the apparmor-profiles used in each
    distribution, but this "only" affects profiles from AppArmor bzr.

-- 
Life used to be simpler when apple and blackberry were just fruits!
[from https://bugzilla.novell.com/quips.cgi]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-apparmor-team/attachments/20161108/8ef161d8/attachment.sig>

More information about the pkg-apparmor-team mailing list